HTTPOnly

It is an optinal flag in Set-Cookie Header. If "httpOnly" is enabled, client-side scripts would not be able to access the cookie, as the browser would prohibit it.

If the cookie has httpOnly an attacker can't steal victim cookie.

Can I use in browsers

Implemented by allmost all browsers. 2023042015443939 httponly#^9c74b7

References

1. (OWASP, 2021), https://owasp.org/www-community/HttpOnly 
2. https://caniuse.com/?search=httponly ^9c74b7