caolan · caolan · Apr 26, 2011 · Apr 25, 2011
diff --git a/lib/cookie-sessions.js b/lib/cookie-sessions.js
@@ -39,13 +39,13 @@ var exports = module.exports = function(settings){
                 if ("cookie" in req.headers) {
                     cookiestr = escape(s.session_key) + '='
                         + '; expires=' + exports.expires(0)
-                        + '; path=/';
+                        + '; path=/; HttpOnly';
                 }
             } else {
                 cookiestr = escape(s.session_key) + '='
                     + escape(exports.serialize(s.secret, req.session))
                     + '; expires=' + exports.expires(s.timeout)
-                    + '; path=/';
+                    + '; path=/; HttpOnly';
             }
 
             if (cookiestr !== undefined) {