diff --git a/app/controllers/agent_connect/agent_controller.rb b/app/controllers/agent_connect/agent_controller.rb
index cd42e6f16..c8ab572e2 100644
--- a/app/controllers/agent_connect/agent_controller.rb
+++ b/app/controllers/agent_connect/agent_controller.rb
@@ -12,8 +12,8 @@ class AgentConnect::AgentController < ApplicationController
   def login
     uri, state, nonce = AgentConnectService.authorization_uri
 
-    cookies.encrypted[STATE_COOKIE_NAME] = { value: state, secure: Rails.env.production? }
-    cookies.encrypted[NONCE_COOKIE_NAME] = { value: nonce, secure: Rails.env.production? }
+    cookies.encrypted[STATE_COOKIE_NAME] = { value: state, secure: Rails.env.production?, httponly: true }
+    cookies.encrypted[NONCE_COOKIE_NAME] = { value: nonce, secure: Rails.env.production?, httponly: true }
 
     redirect_to uri, allow_other_host: true
   end
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 2771bf78f..659b44a31 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -117,7 +117,7 @@ class ApplicationController < ActionController::Base
 
   def set_locale(locale)
     if locale && locale.to_sym.in?(I18n.available_locales)
-      cookies[:locale] = { value: locale, secure: Rails.env.production? }
+      cookies[:locale] = { value: locale, secure: Rails.env.production?, httponly: true }
       if user_signed_in?
         current_user.update(locale: locale)
       end
diff --git a/app/controllers/instructeurs/procedures_controller.rb b/app/controllers/instructeurs/procedures_controller.rb
index 6c8326050..9b9fc4014 100644
--- a/app/controllers/instructeurs/procedures_controller.rb
+++ b/app/controllers/instructeurs/procedures_controller.rb
@@ -249,6 +249,7 @@ module Instructeurs
       cookies.encrypted[cookies_export_key] = {
         value: DateTime.current,
         expires: Export::MAX_DUREE_GENERATION + Export::MAX_DUREE_CONSERVATION_EXPORT,
+        httponly: true,
         secure: Rails.env.production?
       }
 
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 96e2b62b5..a38b32cae 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,3 +1,3 @@
 # Be sure to restart your server when you modify this file.
 
-Rails.application.config.session_store :cookie_store, key: '_DS_session', secure: Rails.env.production?
+Rails.application.config.session_store :cookie_store, key: '_DS_session', secure: Rails.env.production?, httponly: true