Cookies themselves shouldn't ever contain sensitive information that the user should not be able to see. Attackers can target cookies to try and gather private information. The most common target is the session cookie. If the session cookie is compromised, an attacker can use the cookie to impersonate the user, and the server would allow it.
The HttpOnly flag asks the browser to prevent JavaScript from accessing the cookie, protecting against cross-site scripting attacks. The cookie will only get sent when making HTTP requests. If you do need a cookie to be accessed via JavaScript, just create a different cookie from the session cookie.
The Secure flag asks the browser to only transport the cookie with TLS/SSL encryption. ...