A website's cookies should be protected at all times so that they cannot be read and manipulated by third-party scripts.

In the vast majority of cases, it is not necessary for the application to access cookies that have been already set in the browser. For this reason, most browsers have been enhanced with a feature that allows you to decide for each individual cookie whether it is available in the browser.

To do this, use the HttpOnly flag in the Set Cookie Response header:
Set-Cookie: MeinCookie=myvalue; path=/; HttpOnly     

If you use PHP, you can simply set the flag using the setcookie() function. PHP sets a session cookie itself and you can influence its behavior via the session_set_cookie_params() function.

Tip: If you use a content management system such as WordPress or Joomla!, you can check if you are using a plug-in that uses insecure cookies. Simply disable the plug-ins you are using and run the Website-Checker again. In this way, you can easily see if any of your enabled plug-ins are using insecure cookies.