[Closed][UI] [Security] Make JWT cookie HttpOnly #1903

github.com [Security] Make JWT cookie HttpOnly · Issue #1903 · LemmyNet/lemmy-ui

Requirements This is a feature request and not a bug report. Otherwise, please create a new bug report instead. Please check to see if this request (or a similar one) already exists. It's a single ...

Requirements

[X] This is a feature request and not a bug report. Otherwise, please create a new bug report instead.
[X] Please check to see if this request (or a similar one) already exists.
[X] It's a single feature. Please don't request multiple features in one issue.

Describe the feature you'd like

It would improve security if the JWT cookie is set to HttpOnly so JavaScript cannot access it. This requires some changes in the UI though since the cookie is currently managed by JavaScript running in the browser:

https://github.com/LemmyNet/lemmy-ui/blob/51842d64101ff1ef5f023b60a9ed25cb33b886c1/src/shared/utils/browser/set-auth-cookie.ts#L5-L12

1 comments

I realized this is a duplicate of #1252, let's continue tracking this in that issue

Originally posted by sunaurus in #1903