attribute is only visible in the Set-Cookie
response header when a cookie is set
; the client will not send that attribute back
to the server when it resends
the cookie to the server on subsequent requests.
Browser tools that show a cookie's httponly
state do so by directly examining the cookie metadata within the browser's cookie database.