DEV Community

loading...

Discussion on: Auth in Web - Cookies Vs Storage

Collapse
kannndev profile image
Kannan Author • Edited

@faizan secure flag will make browser set cookie only for https. httpOnly will make sure that cookie is not accessible by javascript where it is usually accessed by document.cookie. But XSS attack basically means the attacker tries to inject malicious script in your browser.

Lets say in dev.to blog If i was able to inject this

<script>
fetch(account/delete, { method: 'DELETE'});
</script>
Enter fullscreen mode Exit fullscreen mode

Whenever my blog is opened the users account will be deleted.

In this case even if it is secure and httpOnly, its of no use right ?

Collapse
faizan profile image
Faizan Akram Dar

Hey, sorry that's not me :P

I mean you mentioned me.

You're right though, hence sanitization 🙂

Thread Thread
kannndev profile image
Kannan Author

Oops! Sorry about that.