jamuhl
commented
8 years ago yes. first the cookie only holds a selected language not a sessionId or similar -> so that cookie is not relevant regarding security. second using i18next on the client you can set the cookie on client side and reflect that lng selection back to server. That's all.
Following the express guide to secure express app (http://expressjs.com/en/advanced/best-practice-security.html), I am trying to set httpOnly for i18n set-cookie header. I saw it's disabled by default in https://github.com/i18next/i18next-express-middleware/blob/master/src/languageLookups/cookie.js.( line 31)
What is the purpose of that? Is there any problem enabling it?