Network Pipe Manufacturer


    1.0.3 • Public • Published

    Cookie HttpOnly

    License Build Status Build status Coverage Status Known Vulnerabilities

    Restricting access to cookies is essential for security in many web apps. For example, the session ID, the secret token used to identify a particular session, is typically stored in a cookie.

    Cookies HttpOnly is a Node.js® module for getting and setting HTTP(S) cookies with the HttpOnly flag set and strict security policy. This module implemented by following the RFC 6265 Standard.

    Getting Started


    To use Cookie HttpOnly in your project, run:

    npm i cookie-httponly

    Configure Nginx

    Setting location up Nginx as proxy for Nodejs application:

    location @nodejs {
      proxy_pass http://localhost:8080;
      proxy_http_version 1.1;
      proxy_set_header Host $host:$server_port;
      proxy_set_header IP $remote_addr;

    API docs

    Table of Contents

    class Cookie

    class: Cookie

    This class implemented by following the ECMAScript® 2018 Language Specification Standard. To use this module:

    const Cookie = require('cookie-httponly');

    constructor: new Cookie(request, response)

    const http = require('http');
    const Cookie = require('cookie-httponly');
    http.createServer((req, res) => {
      const cookie = new Cookie(req, res);

    When the class instance is initialized successfully, the HTTP headers are read and parsed. The resulting values are available from the cookie.entries field.

    The connection must be established from the domain name (i.e., not an IP address)


    • name <String>
    • returns: <Boolean> A true if an element with the specified key exists in the cookie.entries; otherwise false.

    The method returns a Boolean value indicating whether or not an element with the specified key name exists from the cookie.entries field.


    • name <String>
    • returns: <String | undefined> A string if an element with the specified key exists in the cookie.entries; otherwise undefined.

    The method returns the value of the specified name from the cookie.entries field.

    cookie.set(name, value[, options])

    • name <String> Invalid characters will be deleted or escaped.

    • value <String> Invalid characters will be deleted or escaped.

    • options <Object>

      • domain <String> The domain option specifies those hosts to which the cookie will be sent. For example, if the value of the domain option is '', the user agent will include the cookie in the Cookie header when making HTTP(S) requests to '', '', and ''.

        NOTE That a leading '.', if present, is ignored even though that character is not permitted, but a trailing '.', if present, will cause the user agent to ignore the attribute.

        If the server omits the domain options, the user agent will return the cookie only to the origin server. Domain matching the string is a host name (i.e., not an IP address). Default: cookie.domain.

      • path <String> Cookie path, use '/' as the path if you want your cookie to be accessible on all pages. Default: '/'.

      • expires <Date> The Expires attribute indicates the date and time at which the cookie expires. Default: current session.

      NOTE Typical session identifier might reasonably be set to expire in two weeks.

    • returns: <undefined>

    Installing HTTP(S) headers. Note that setting headers does not mean the appearance of values in the cookie.entries field. With the https secure connection, the method will automatically add the security flag to the headers.

    An example of setting the headers to record cookies for 1 year.

    const http = require('http');
    const Cookie = require('cookie-httponly');
    http.createServer((req, res) => {
      const cookie = new Cookie(req, res);
      let forYear = new Date();
      cookie.set('user', '84b7e44aa54d002eac8d00f5bfa9cc93410f2a48', {
        expires: forYear.setUTCFullYear(forYear.getUTCFullYear() + 1)

    To send headers for remove of cookies by name, simply set the header with the begin date and time.

    const http = require('http');
    const Cookie = require('cookie-httponly');
    http.createServer((req, res) => {
      const cookie = new Cookie(req, res);
      cookie.set('user', '', {
        expires: new Date(0) // Thu, 01 Jan 1970 00:00:00 GMT




    • <Map> The values of the incoming cookie.


    • <String> The value is set when creating an instance of the class from the request.headers field of the current connection. The connection must be established from the domain name (i.e., not an IP address).

    • <Boolean> true if the current session has a secure connection; otherwise false.

    You can override the properties cookie.domain and


    npm i cookie-httponly

    DownloadsWeekly Downloads






    Unpacked Size

    13.4 kB

    Total Files


    Last publish


    • woodger