fix(api): CSRF-token should not be httpOnly (#55365)

2026-05-28 18:26:54 +00:00 · 2024-07-01 21:54:01 +02:00
parent 464dbf6a28
commit 669b4908b1
1 changed files with 4 additions and 1 deletions
@@ -140,7 +140,10 @@ export const build = async (
      const token = reply.generateCsrf();
      void reply.setCookie('csrf_token', token, {
        sameSite: 'strict',
-        signed: false
+        signed: false,
+        // it needs to be read by the client, so that it can be sent in the
+        // header of the next request:
+        httpOnly: false
      });
    }
    done();