Inspectopedia 2025.2 Help

RoslynAnalyzers Set HttpOnly to true for HttpCookie

As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies.

Locating this inspection

By ID

Can be used to locate inspection in e.g. Qodana configuration files, where you can quickly enable or disable it, or adjust its settings.

CA5396
Via Settings dialog

Path to the inspection settings via IntelliJ Platform IDE Settings dialog, when you need to adjust inspection settings directly from your IDE.

Settings or Preferences | Editor | Inspections | C# | Roslyn Analyzers

Suppressing Inspection

You can suppress this inspection by placing the following comment marker before the code fragment where you no longer want messages from this inspection to appear:

//noinspection CA5396

More detailed instructions as well as other ways and options that you have can be found in the product documentation:

Inspection Details

By default bundled with:

JetBrains Rider 2025.2, Qodana for .NET 2025.2,

Last modified: 18 September 2025
RoslynAnalyzers Set 'MaxResponseHeadersLength' properlyRoslynAnalyzers Set ViewStateUserKey For Classes Derived From Page