No https-only flag in xsrf cookie

jsdecena / laracom

Laravel FREE E-Commerce Software

https://jsdecena.github.io/laracom

1.91k stars 861 forks source link

Closed kukuxumushi closed 5 years ago

kukuxumushi commented 5 years ago

Hello.

Without http-only flag, it is possible to steal xsrf token (through reflected xss, for example :^) ) and this protection becomes useless.

I think its a good idea to set this flag.

Thx.

belguinan commented 5 years ago

@kukuxumushi If XSS was fixed, then no need for the flag right?

kukuxumushi commented 5 years ago

Most likely not required.