dadi / web

Web is a drop in front end for websites and web apps. Consumes data from DADI API and others
https://dadi.cloud/en/web/
Other
48 stars 16 forks source link

Add HttpOnly and Secure flags to CSRF cookie #376

Closed abovedave closed 6 years ago

abovedave commented 6 years ago

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.