I read Set "secure" attribute for Flask cookies, but it's for setting secure cookies, but I'm trying to set HTTPONLY cookies. They both are kind-of-secure cookies, but differ in specs (read more).
The cookie needs to be protected because it is about users' logging in information.
Check set_cookie() (docs) under Flask APIs. It provides options for setting a HTTPONLY cookie using its httponly option. For example, the following code will set a HTTPONLY cookie:
set_cookie("name", value = "value", httponly = True)