Is there a reason why the XSRF-TOKEN has HttpOnly set to false when the default for cookies is true? #48805
-
A site I work on had a security scan done through Acunetix and it was flagging the XSRF-TOKEN as missing HttpOnly The default config in Laravel is to set HttpOnly to Everything I read on the matter said that there's no benefit. With that in mind, is there a reason not to set HttpOnly to true?
I fixed the scan by adding Is there a negative to setting it to |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
The If you have an SPA or use something like Inertia, you'll probably need it. If not, you can disable it. |
Beta Was this translation helpful? Give feedback.
The
XSRF-TOKEN
cookie passes the CSRF token through to the javascript layer, so tools like Axios can automatically make requests to non-GET
endpoints. TheHttpOnly
flag needs to be disabled or the cookie cannot be accessed in JS.If you have an SPA or use something like Inertia, you'll probably need it. If not, you can disable it.