httpOnly: false is it safe? use an api to get cookie server side instead?

[robthepaper]

Hi @jianyuan , thanks for your project, I am using part of your code to implement with my project. Was wondering if it is safe to set httpOnly to false?

What do you think about setting an server side api to retrieve the cookie content instead of accessing it in js client side with document.cookie?