I have read about this question on SO, so I don't mention the "Cookie XSS can be guarded against httpOnly flag".

(XST is kind of XSS )

https://stackoverflow.com/a/524934/6335029