-Cookies without HttpOnly flag are accessible to JavaScript running in the same origin. In case of
-Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious script.
-
Cookies without the HttpOnly flag set are accessible to client-side scripts such as JavaScript running in the same origin.
+In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.
+If a sensitive cookie does not need to be accessed directly by client-side JS, the HttpOnly flag should be set.
-Protect sensitive cookies, such as related to authentication, by setting HttpOnly to true to make
-them not accessible to JavaScript. In ASP.NET case it is also possible to set the attribute via <httpCookies> element
-of web.config with the attribute httpOnlyCookies="true".
+Set the HttpOnly flag to true for authentication cookies to ensure they are not accessible to client-side scripts.
+
+When using ASP.NET Core, CookiePolicyOptions can be used to set a default policy for cookies.
+
+When using ASP.NET Web Forms, a default may also be configured in the Web.config file, using the httpOnlyCookies attribute of the
+the <httpCookies> element.
-In the example below Microsoft.AspNetCore.Http.CookieOptions.HttpOnly is set to true.
+In the example below, Microsoft.AspNetCore.Http.CookieOptions.HttpOnly is set to true.
-In the following example CookiePolicyOptions are set programmatically to configure defaults.
+In the following example, CookiePolicyOptions are set programmatically to configure defaults.
-In the example below System.Web.HttpCookie.HttpOnly is set to true.
+In the example below, System.Web.HttpCookie.HttpOnly is set to true.
+In the example below, the httpOnlyCookies attribute is set to true in the Web.config file.
+
-Sensitive data that is transmitted using HTTP is vulnerable to being read by a third party. By default, -cookies are sent via HTTP, not HTTPS. -
+Cookies without the Secure flag set may be transmitted using HTTP instead of HTTPS.
+This leaves them vulnerable to being read by a third party attacker. If a sensitive cookie such as a session
+key is intercepted this way, it would allow the attacker to perform actions on a user's behalf.
-In ASP.NET case when using cookies ensure that HTTPS is used by setting the property Microsoft.AspNetCore.Http.CookieOptions.Secure to true.
+When using ASP.NET Core, ensure cookies have the secure flag set by setting Microsoft.AspNetCore.Http.CookieOptions.Secure to true, or
+using CookiePolicyOptions to set a default security policy.
-In ASP.NET Core case when using cookies, ensure that HTTPS is used, either via the <forms> attribute above, or
-the <httpCookies> element, with the attribute requireSSL="true". It is also possible to require cookies
-to use HTTPS programmatically, by setting the property System.Web.HttpCookie.Secure to true.
+When using ASP.NET Web Forms, cookies can be configured as secure by default in the Web.config file, setting the requireSSL attribute to true in the forms or httpCookies element.
+Cookies may also be set to be secure programmatically by setting the System.Web.HttpCookie.Secure attribute to true.
-In the example below Microsoft.AspNetCore.Http.CookieOptions.Secure is set to true programmatically.
+In the example below, Microsoft.AspNetCore.Http.CookieOptions.Secure is set to true.
-In the following example CookiePolicyOptions are set programmatically to configure defaults.
+In the following example, CookiePolicyOptions are set programmatically to configure defaults.
System.Web.HttpCookie.Secure is set to t
+In the example below, the requireSSL attribute is set to true in the forms element of the Web.config file.
+
+