You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've noticed that the access tokens used in the application are not being set with the HTTP-only attribute. This poses a potential security risk. Anybody can use this to do run malicious client side scripts.
Expected Behavior
To mitigate this risk, I propose that we update the implementation to set the HTTP-only attribute for access tokens.
Possible Solution
Set the implementation of metacall-access-token to httpOnly . By doing so, we restrict access to the tokens only through HTTP requests, thereby enhancing the security of our authentication mechanism.
The text was updated successfully, but these errors were encountered:
馃悰 Bug Report
I've noticed that the access tokens used in the application are not being set with the HTTP-only attribute. This poses a potential security risk. Anybody can use this to do run malicious client side scripts.
Expected Behavior
To mitigate this risk, I propose that we update the implementation to set the HTTP-only attribute for access tokens.
Possible Solution
Set the implementation of metacall-access-token to httpOnly . By doing so, we restrict access to the tokens only through HTTP requests, thereby enhancing the security of our authentication mechanism.
The text was updated successfully, but these errors were encountered: