Some cookies are designed only to be read by the server, not by a browser or any scripts running on the page. An HTTP-only cookie is that kind of cookie. It has the HttpOnly attribute, a cookie flag, so JavaScript can’t access it.
Let’s say a cookie stores sensitive information, such as your login details. If that cookie is visible to JavaScript, a hacker could potentially steal it through a cross-site scripting (XSS) attack. But the HttpOnly keeps it safe and makes it much harder for anyone to steal it.
