Require HttpOnly browser cookies
jimfenton opened this issue · 2 comments
In 800-63B Section 7.1.1, use of HttpOnly is a SHOULD. Consider making it a SHALL to improve resistance to XSS and similar attacks.
"SHOULD" seems proportionate to me. Setting HttpOnly in cookies will preclude the use of certain types of cross-origin requests, where tokens are needed in JavaScript.
There are sometimes alternatives using CORS and cross-origin requests with .withCredentials = true, but these can be more complicated to implement without advance planning.
Perhaps there's some language that could convey "should set HttpOnly without a specific good reason not to".
For what it's worth, the normative "SHOULD" translates to "do this unless you have a very good and very specific reason not to do it", so I am in favor of keeping this a SHOULD, but perhaps with better explanation as to WHY.