@@ -72,16 +72,19 @@ The HttpOnly flag is a cookie attribute that prevents the cookie from being acce
Do not enable HttpOnly if:
- You are using the Access application for non-browser based tools.
- You are using the Access application for non-browser based tools (such as SSH or RDP).
- You have software that relies on being able to access a user’s cookie generated by Access.
### Binding Cookie
The Binding Cookie is an additional cookie created when a user successfully authenticates, shared with Cloudflare to verify identity, and then stripped before it reaches the origin server. The Binding Cookie associates the browser with the Access token; the association protects against compromised authorization tokens because the origin webapp would never see this binding cookie. This protects against session hijack style attacks.
#### When not to use the Binding Cookie
#### When not to use Binding Cookie
Do not use the Binding Cookie for non-browser based Access applications that rely on protocols like SSH, RDP, etc.
Do not enable Binding Cookie if:
- You are using the Access application for non-browser based tools (such as SSH or RDP).
- You have enabled [Automatic Signed Exchanges](/speed/optimization/other/signed-exchanges/enable-signed-exchange/), [Automatic Platform Optimization](/automatic-platform-optimization) or [Zaraz](/zaraz) on the application domain.