search

metacall / core

MetaCall: The ultimate polyglot programming experience.
https://metacall.io
Apache License 2.0
1.55k stars 160 forks source link

Metacall Acess Token not set to httpOnly #498

Closed abhiraj-ku closed 1 month ago

abhiraj-ku commented 4 months ago

🐛 Bug Report

I've noticed that the access tokens used in the application are not being set with the HTTP-only attribute. This poses a potential security risk. Anybody can use this to do run malicious client side scripts.

Expected Behavior

To mitigate this risk, I propose that we update the implementation to set the HTTP-only attribute for access tokens.

Possible Solution

Set the implementation of metacall-access-token to httpOnly . By doing so, we restrict access to the tokens only through HTTP requests, thereby enhancing the security of our authentication mechanism.

viferga commented 2 months ago

@abhiraj-ku can you explain to what token are you referring to?