With httponly you only prevent to read the cookie with js, but its still possible to make requests in the name of the user.
6 Matching Annotations
- Oct 2021
-
github.com github.com
-
-
They are on client-side, but (usually) they are HTTPOnly. Now if they are part of session, any client-side script is able to access them, and I just don't like introducing vulnerabilities knowingly. As I said above, I found a workaround that works for me and you may have different opinion from me on how much this is a risk.
Tags
Annotators
URL
-
- Jun 2021
-
disqus.com disqus.com
-
In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
-
I started off really wanting to use HttpOnly cookies
-
- May 2021
-
-
the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
-
-