JWT Should be Stored in an HttpOnly Cookie

[tianjk99]

Please check if there is a security issue.

1. server/server.js, line 40.

Setting "httpOnly" to false may be due to specific design needs or use cases. In some cases, applications may need to access cookie data via JavaScript to implement specific functionality or to interact with other components. However, to be clear, setting "httpOnly" to false may increase potential security risks. Allowing client-side JavaScript to access cookies containing sensitive data can lead to security issues such as XSS attacks. An attacker could exploit the vulnerability to steal a user's credentials or perform malicious actions.

It is recommended to set "httpOnly" to true to enhance the platform's security and prevent cross-site scripting (XSS) attacks and other security vulnerabilities.