Skip to content

Refresh token cookie is not marked HttpOnly in backend response #156

Description

@SahilKumar75

backend/src/auth sets the refresh token cookie without the HttpOnly flag, making it accessible via JavaScript. XSS vulnerability — must set HttpOnly=true.

Metadata

Metadata

Assignees

No one assigned

    Labels

    authAuthentication issuesbackendJava Spring backendbugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions