---
title: isHTTPOnly
framework: foundation
role: symbol
role_heading: Instance Property
path: foundation/httpcookie/ishttponly
---

# isHTTPOnly

A Boolean value that indicates whether the cookie should only be sent to HTTP servers.

## Declaration

```swift
var isHTTPOnly: Bool { get }
```

## Discussion

Discussion The value of this property is true if the cookie should only be sent using HTTP headers, false otherwise. Cookies can be marked as HTTP-only by a server (or by JavaScript code). Cookies marked as such must only be sent via HTTP Headers in HTTP requests for URLs that match both the path and domain of the respective cookies. note: RFC 6265 formally defines the HttpOnly attribute. important: To prevent cross-site scripting vulnerabilities, don’t deliver cookies marked as HTTP-only to JavaScript code.

## See Also

### Securing cookies

- [isSecure](foundation/httpcookie/issecure.md)
- [sameSitePolicy](foundation/httpcookie/samesitepolicy.md)
- [HTTPCookieStringPolicy](foundation/httpcookiestringpolicy.md)