Hi,
As mention in the other post, we are running a web vulnerability scan and we realized the cookie csrf-token is set to HTTPOnly = fasle. Is this a requirement for R Studio Server to run? The implication is If this flag is not set, then the browser will allow client-side script to access the cookie. As a result, the cookie becomes vulnerable to theft by malicious script. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value