Add HttpOnly and Secure flags to CSRF cookie

Question

Add HttpOnly and Secure flags to CSRF cookie

Closed this issue 6 years ago · 0 comments

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.