Search
Make JWT cookie HttpOnly #1903
github.com [Security] Make JWT cookie HttpOnly · Issue #1903 · LemmyNet/lemmy-ui
Requirements This is a feature request and not a bug report. Otherwise, please create a new bug report instead. Please check to see if this request (or a similar one) already exists. It's a single ...
![[Security] Make JWT cookie HttpOnly · Issue #1903 · LemmyNet/lemmy-ui](https://lemmy.world/pictrs/image/237e7d37-0dd9-459c-b2b4-9b32376bdcc6.png?format=webp&thumbnail=256)
Requirements
- [X] This is a feature request and not a bug report. Otherwise, please create a new bug report instead.
- [X] Please check to see if this request (or a similar one) already exists.
- [X] It's a single feature. Please don't request multiple features in one issue.
Describe the feature you'd like
It would improve security if the JWT cookie is set to HttpOnly so JavaScript cannot access it. This requires some changes in the UI though since the cookie is currently managed by JavaScript running in the browser:
https://github.com/LemmyNet/lemmy-ui/blob/51842d64101ff1ef5f023b60a9ed25cb33b886c1/src/shared/utils/browser/set-auth-cookie.ts#L5-L12