diff --git a/routes.py b/routes.py
index 48e4f1a..3debd3e 100644
--- a/routes.py
+++ b/routes.py
@@ -50,6 +50,7 @@ def twitter_login_step2():
     resp = Response(status=301, headers={"location": url_for('index')})
     resp.set_cookie('forget_sid', session.id,
         max_age=60*60*48,
+        httponly=True,
         secure=app.config.get("HTTPS"))
     return resp