diff --git a/rules/java/security/cookie-httponly-false-java.yml b/rules/java/security/cookie-httponly-false-java.yml
new file mode 100644
index 00000000..5916d17b
--- /dev/null
+++ b/rules/java/security/cookie-httponly-false-java.yml
@@ -0,0 +1,13 @@
+id: cookie-httponly-false-java
+language: java
+message: >-
+  A cookie was detected without setting the 'HttpOnly' flag. The
+  'HttpOnly' flag for cookies instructs the browser to forbid client-side
+  scripts from reading the cookie. Set the 'HttpOnly' flag by calling
+  'cookie.setHttpOnly(true);'
+note: >-
+  [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag.
+  [REFERENCES]
+  - https://capec.mitre.org/data/definitions/463.html
+rule:
+  pattern: $COOKIE.setHttpOnly(false);
diff --git a/rules/java/security/cookie-missing-httponly-java.yml b/rules/java/security/cookie-missing-httponly-java.yml
new file mode 100644
index 00000000..57fa66aa
--- /dev/null
+++ b/rules/java/security/cookie-missing-httponly-java.yml
@@ -0,0 +1,23 @@
+id: cookie-missing-httponly-java
+severity: warning
+language: java
+message: >-
+  A cookie was detected without setting the 'HttpOnly' flag. The
+  'HttpOnly' flag for cookies instructs the browser to forbid client-side
+  scripts from reading the cookie. Set the 'HttpOnly' flag by calling
+  'cookie.setHttpOnly(true);
+note: >-
+  [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag.
+  [REFERENCES]
+      - https://owasp.org/www-community/HttpOnly
+rule:
+  pattern: $RESPONSE.addCookie($COOKIE);
+  all:
+    - not:
+        follows:
+          stopBy: end
+          pattern: $COOKIE.setValue("");
+    - not:
+        follows:
+          stopBy: end
+          pattern: $COOKIE.setHttpOnly($$$);
diff --git a/tests/__snapshots__/cookie-httponly-false-java-snapshot.yml b/tests/__snapshots__/cookie-httponly-false-java-snapshot.yml
new file mode 100644
index 00000000..c1460483
--- /dev/null
+++ b/tests/__snapshots__/cookie-httponly-false-java-snapshot.yml
@@ -0,0 +1,16 @@
+id: cookie-httponly-false-java
+snapshots:
+  ? |2
+
+    @RequestMapping(value = "/cookie4", method = "GET")
+    public void explicitDisable(@RequestParam String value, HttpServletResponse response) {
+        Cookie cookie = new Cookie("cookie", value);
+        cookie.setSecure(false);
+        cookie.setHttpOnly(false);
+        response.addCookie(cookie);
+    }
+  : labels:
+    - source: cookie.setHttpOnly(false);
+      style: primary
+      start: 223
+      end: 249
diff --git a/tests/__snapshots__/cookie-missing-httponly-java-snapshot.yml b/tests/__snapshots__/cookie-missing-httponly-java-snapshot.yml
new file mode 100644
index 00000000..aa712115
--- /dev/null
+++ b/tests/__snapshots__/cookie-missing-httponly-java-snapshot.yml
@@ -0,0 +1,19 @@
+id: cookie-missing-httponly-java
+snapshots:
+  ? |
+    @RequestMapping(value = "/cookie1", method = "GET")
+    public void setCookie(@RequestParam String value, HttpServletResponse response) {
+        Cookie cookie = new Cookie("cookie", value);
+        response.addCookie(cookie);
+    }
+    @RequestMapping(value = "/cookie2", method = "GET")
+    public void setSecureCookie(@RequestParam String value, HttpServletResponse response) {
+        Cookie cookie = new Cookie("cookie", value);
+        cookie.setSecure(true);
+        response.addCookie(cookie);
+    }
+  : labels:
+    - source: response.addCookie(cookie);
+      style: primary
+      start: 187
+      end: 214
diff --git a/tests/java/cookie-httponly-false-java-test.yml b/tests/java/cookie-httponly-false-java-test.yml
new file mode 100644
index 00000000..e9ae0072
--- /dev/null
+++ b/tests/java/cookie-httponly-false-java-test.yml
@@ -0,0 +1,20 @@
+id: cookie-httponly-false-java
+valid:
+  - |
+    @RequestMapping(value = "/cookie3", method = "GET")
+    public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) {
+        Cookie cookie = new Cookie("cookie", value);
+        cookie.setSecure(true);
+        cookie.setHttpOnly(true);
+        response.addCookie(cookie);
+    }
+invalid:
+  - |
+
+    @RequestMapping(value = "/cookie4", method = "GET")
+    public void explicitDisable(@RequestParam String value, HttpServletResponse response) {
+        Cookie cookie = new Cookie("cookie", value);
+        cookie.setSecure(false);
+        cookie.setHttpOnly(false);
+        response.addCookie(cookie);
+    }
diff --git a/tests/java/cookie-missing-httponly-java-test.yml b/tests/java/cookie-missing-httponly-java-test.yml
new file mode 100644
index 00000000..18e55379
--- /dev/null
+++ b/tests/java/cookie-missing-httponly-java-test.yml
@@ -0,0 +1,19 @@
+id: cookie-missing-httponly-java
+valid:
+  - |
+    existingCookie.setValue("");
+        existingCookie.setMaxAge(0);
+        response.addCookie(existingCookie);
+invalid:
+  - |
+    @RequestMapping(value = "/cookie1", method = "GET")
+    public void setCookie(@RequestParam String value, HttpServletResponse response) {
+        Cookie cookie = new Cookie("cookie", value);
+        response.addCookie(cookie);
+    }
+    @RequestMapping(value = "/cookie2", method = "GET")
+    public void setSecureCookie(@RequestParam String value, HttpServletResponse response) {
+        Cookie cookie = new Cookie("cookie", value);
+        cookie.setSecure(true);
+        response.addCookie(cookie);
+    }