Moodle's default security settings should have better defaults, unless there is a compelling reason not too.

I think it too should be on, there is some discussion around maybe parts of moodle which need it and possible some issues with scorm or flash content not working with it. But I haven't ever seen first hand instances of it breaking so don't know.

With cookiehttponly on, access to cookies moodle sets can only be accessed via http requests. This helps prevent some cross site scripting (XSS) attacks