Closed kukuxumushi closed 5 years ago
Hello.
Without http-only flag, it is possible to steal xsrf token (through reflected xss, for example :^) ) and this protection becomes useless.
I think its a good idea to set this flag.
Thx.
@kukuxumushi If XSS was fixed, then no need for the flag right?
Most likely not required.
Hello.
Without http-only flag, it is possible to steal xsrf token (through reflected xss, for example :^) ) and this protection becomes useless.
I think its a good idea to set this flag.
Thx.