diff --git a/api/handler/common.go b/api/handler/common.go
index b4f35fa0..20699485 100644
--- a/api/handler/common.go
+++ b/api/handler/common.go
@@ -17,7 +17,7 @@ func SetJWTCookie(c echo.Context, jwt service.JWT) error {
 	cookie := new(http.Cookie)
 	cookie.Name = "StringJWT"
 	cookie.Value = jwt.Token
-	// cookie.HttpOnly = true // due the short expiration time it is not needed to be http only
+	cookie.HttpOnly = true
 	cookie.Expires = jwt.ExpAt // we want the cookie to expire at the same time as the token
 	cookie.SameSite = getCookieSameSiteMode()
 	cookie.Path = "/"                       // Send cookie in every sub path request
@@ -60,6 +60,7 @@ func DeleteAuthCookies(c echo.Context) error {
 	cookie := new(http.Cookie)
 	cookie.Name = "StringJWT"
 	cookie.Value = ""
+	cookie.HttpOnly = true
 	cookie.Expires = time.Now()
 	cookie.SameSite = getCookieSameSiteMode()
 	cookie.Path = "/" // Send cookie in every sub path request
@@ -69,6 +70,7 @@ func DeleteAuthCookies(c echo.Context) error {
 	cookie = new(http.Cookie)
 	cookie.Name = "refresh_token"
 	cookie.Value = ""
+	cookie.HttpOnly = true
 	cookie.Expires = time.Now()
 	cookie.SameSite = getCookieSameSiteMode()
 	cookie.Path = "/login/" // Send cookie only in refresh path request