New
Introducing React Bench, see how different models perform on React code

react-doctor/insecure-session-cookie

Auth cookie missing HttpOnly protection

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: always
  • Tags: security-scan
  • Default: Enabled

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Confirm the reported code matches Auth cookie missing HttpOnly protection. Check the framework context and diagnostic message before suppressing it.

Fix prompt

Use this once validation confirms the diagnostic is real.

Set auth/session cookies server-side with httpOnly: true, secure: true, and sameSite. Cookies set via document.cookie or with httpOnly: false are readable by any XSS payload and can be stolen.

More Security rules from the rules reference: