diff --git a/core/lib/spree/core/controller_helpers/auth.rb b/core/lib/spree/core/controller_helpers/auth.rb
index 3fecec3f5b2..d21d7cf6389 100644
--- a/core/lib/spree/core/controller_helpers/auth.rb
+++ b/core/lib/spree/core/controller_helpers/auth.rb
@@ -42,7 +42,10 @@ def redirect_back_or_default(default)
 
         def set_guest_token
           unless cookies.signed[:guest_token].present?
-            cookies.permanent.signed[:guest_token] = SecureRandom.urlsafe_base64(nil, false)
+            cookies.permanent.signed[:guest_token] = {
+              value: SecureRandom.urlsafe_base64(nil, false),
+              httponly: true
+            }
           end
         end
 
diff --git a/core/spec/lib/spree/core/controller_helpers/auth_spec.rb b/core/spec/lib/spree/core/controller_helpers/auth_spec.rb
index c4bf8b2b83a..f7d1ef82932 100644
--- a/core/spec/lib/spree/core/controller_helpers/auth_spec.rb
+++ b/core/spec/lib/spree/core/controller_helpers/auth_spec.rb
@@ -40,6 +40,7 @@ def index
     end
     it 'sends cookie header' do
       get :index
+      expect(response.headers["Set-Cookie"]).to match(/guest_token.*HttpOnly/)
       expect(response.cookies['guest_token']).not_to be_nil
     end
   end