1. headers http header: set-cookie: httponly