A cookie can be accessed through javascript if it does not have the HttpOnly header set. An attacker who managed to perform XSS or run a client-side script is able to access the cookie if it does not have the HttpOnly flag set.

Cookie with HttpOnly flag set is inaccessible via client-side javascript.

How does the HttpOnly flag help?

when the attacker tries to read a cookie that has HttpOnly flag set, javascript responds with an empty string

For which cookies should I set the HttpOnly flag?

For cookies that we don't want to be accessed through javascript, this flag should be set.

No, HttpOnly cannot protect you from all client-side script attacks. There is a possibility of an attacker being able to leverage XSS with CSRF payload which can bypass HttpOnly to steal user cookies. An example can be found here.