Y
Hacker News
new
|
ask
|
show
|
jobs
by
selfmodruntime
184 days ago
Token stealing hasn't been a real danger for a decade now. If you don't mark your token's as non-HTTP you're doing something explicitely wrong, because 99% of backends nowadays do this for you.
1 comments
collinmanderson
184 days ago
with http-only they can't _steal_ the cookie, but they can still _use_ the cookie. It reduces the impact but doesn't fully solve it.
link