Open Photon3009 opened 4 months ago
You are right, we should take that precaution, though the only use we have for cookies currently is when running with basic auth on.
we could also have anti CSRF protection which prevents cross site request forgery attacks.
Suggestion/Concern
The httpOnly option for cookies is currently set to false, allowing them to be accessed via JavaScript. This poses a security risk as it makes the cookies vulnerable to cross-site scripting (XSS) attacks.
Proposed Solution
To enhance security, the httpOnly flag for cookies should be set to true. This prevents client-side scripts from accessing the cookies, thereby mitigating the risk of XSS attacks. By enabling httpOnly, sensitive cookie data remains inaccessible to JavaScript, improving the overall security posture of the application.