react-doctor/insecure-session-cookie
Auth cookie missing HttpOnly protection
- Category: Security
- Severity: warn
- Source:
oxlint-plugin-react-doctor - Framework: global
- Enabled when: always
- Tags: security-scan
- Default: Enabled
Validation prompt
Use this to decide whether a fired diagnostic is real or a false positive.
Confirm the reported code matches Auth cookie missing HttpOnly protection. Check the framework context and diagnostic message before suppressing it.
Fix prompt
Use this once validation confirms the diagnostic is real.
Set auth/session cookies server-side with httpOnly: true, secure: true, and sameSite. Cookies set via document.cookie or with httpOnly: false are readable by any XSS payload and can be stolen.
Related rules
More Security rules from the rules reference:
react-doctor/jsx-no-script-url: Disallow javascript: URLs in href — they execute arbitrary code, and React 19 throws on them.react-doctor/jsx-no-target-blank: Add rel="noreferrer" (or "noopener") whenever using target="_blank".react-doctor/jwt-insecure-verification: JWT verified with the 'none' algorithmreact-doctor/key-lifecycle-risk: A private key or release credential committed inline to the repo is exposed in git history and must be rotated and revoked.react-doctor/local-rpc-native-bridge-risk: A localhost or native bridge that accepts loose origins and exposes install/update or shell commands lets a malicious web page drive native actions on the user's machine.