This contains a special ‘HttpOnly’ flag included in the http cookie header that ensures cookies will only be used when transmitting HTTP (or HTTPS) requests.
Combined the Secure setting and and HttpOnly flag help to introduce a more robust cookie that is less prone to attacks. Combined they allow the browser to restrict access to secure cookie data from scripts within the web browser. This limits the potential damage many cross site script attacks can cause– specifically, the attacks that target cookie data.