In the announcement for 3.6.1 Kier mentions "HttpOnly Cookies to Prevent XSS Attacks". How exactly is that achieved? I would love to know how you guys implemented that.

Internet Explorere introduced a tag for cookies called HttpOnly.
This prevents cookies from being called by JavaScript and thus reduces the risk of XSS attacks.

I have never heard of that before. Thank you!