diff --git a/inc/config.php b/inc/config.php
index e9e52aaf..ae3ce0c0 100644
--- a/inc/config.php
+++ b/inc/config.php
@@ -154,6 +154,9 @@
 	// Make this something long and random for security.
 	$config['cookies']['salt'] = 'abcdefghijklmnopqrstuvwxyz09123456789!@#$%^&*()';
 
+	// Whether or not you can access the mod cookie in JavaScript. Most users should not need to change this.
+	$config['cookies']['httponly'] = true;
+
 	// Used to salt secure tripcodes ("##trip") and poster IDs (if enabled).
 	$config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba';
 
diff --git a/inc/mod/auth.php b/inc/mod/auth.php
index bfab0f7e..0733646f 100644
--- a/inc/mod/auth.php
+++ b/inc/mod/auth.php
@@ -72,7 +72,7 @@ function setCookies() {
 			$mod['hash'][0] . // password
 			':' .
 			$mod['hash'][1], // salt
-		time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true);
+		time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, $config['cookies']['httponly']);
 }
 
 function destroyCookies() {