devise icon indicating copy to clipboard operation
devise copied to clipboard

Published 20 hours ago verified publisher icon heartcombo

I suggest to add httponly: true in template of devise.rb

Open kossy0701 opened this issue 2 years ago • 0 comments

Summary

Thanks you make amazing Gem. and all contributers.

I think add httponly: true in template of devise.rb.

A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it's only sent to the server. For example, cookies that persist in server-side sessions don't need to be available to JavaScript and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.

Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

Fix Proposal

   # secure: true in order to force SSL only cookies.
+  # httponly: true in order to restrict operate with JavaScript.

https://github.com/heartcombo/devise/blob/main/lib/generators/templates/devise.rb#L176

kossy0701 avatar Aug 04 '22 07:08 kossy0701