Skip to content

Is there a reason why the XSRF-TOKEN has HttpOnly set to false when the default for cookies is true? #48805

Answered by valorin
adampatterson asked this question in General
Discussion options

You must be logged in to vote

The XSRF-TOKEN cookie passes the CSRF token through to the javascript layer, so tools like Axios can automatically make requests to non-GET endpoints. The HttpOnly flag needs to be disabled or the cookie cannot be accessed in JS.

If you have an SPA or use something like Inertia, you'll probably need it. If not, you can disable it.

Replies: 1 comment

Comment options

You must be logged in to vote
0 replies
Answer selected by adampatterson
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants