core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon metacall

Metacall Acess Token not set to httpOnly

Open abhiraj-ku opened this issue 1 year ago • 1 comments

🐛 Bug Report

I've noticed that the access tokens used in the application are not being set with the HTTP-only attribute. This poses a potential security risk. Anybody can use this to do run malicious client side scripts.

Expected Behavior

To mitigate this risk, I propose that we update the implementation to set the HTTP-only attribute for access tokens.

Possible Solution

Set the implementation of metacall-access-token to httpOnly . By doing so, we restrict access to the tokens only through HTTP requests, thereby enhancing the security of our authentication mechanism.

abhiraj-ku avatar May 02 '24 14:05 abhiraj-ku

@abhiraj-ku can you explain to what token are you referring to?

viferga avatar Jun 19 '24 21:06 viferga