Venafi Director, All versions
Cookie without "httponly" flag set / Missing "httponly" Attribute in Session Cookie
There is usually no good reason not to set the "httponly" flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Setcookie directive. You should be aware that the restrictions imposed by the "httponly" flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
Venafi does not use the "httponly" flag to prevent any CSRF (Cross Site Request Forgery) attacks.