The bottom line is this - while this cookie option flag does absolutely nothing to prevent XSS attacks, it does significanly help to prevent the #1 XSS attack goal which is stealing SessionIDs. While HTTPOnly is not a "silver bullet" by any means, the potential ROI of implement it is quite large. Notice I said "potential" as in order to provide the intended protections, two key players have to work together. This article looks at one way you can make your Web cookies more secure by using the Apache's extension called modsecurity. If you are interested in this please read on for more information and how you set this up on your own Apache web server.

The link for this article located at modsecurity is no longer available.