I've noticed that the access tokens used in the application are not being set with the HTTP-only attribute. This poses a potential security risk. Anybody can use this to do run malicious client side scripts.
Expected Behavior
To mitigate this risk, I propose that we update the implementation to set the HTTP-only attribute for access tokens.
Possible Solution
Set the implementation of metacall-access-token to httpOnly . By doing so, we restrict access to the tokens only through HTTP requests, thereby enhancing the security of our authentication mechanism.
🐛 Bug Report
I've noticed that the access tokens used in the application are not being set with the HTTP-only attribute. This poses a potential security risk. Anybody can use this to do run malicious client side scripts.
Expected Behavior
To mitigate this risk, I propose that we update the implementation to set the HTTP-only attribute for access tokens.
Possible Solution
Set the implementation of metacall-access-token to httpOnly . By doing so, we restrict access to the tokens only through HTTP requests, thereby enhancing the security of our authentication mechanism.