CSRF Token set to HTTPonly True


Is it possible for CSRF Token to be set to httponly true? Are there any implications?


Hi Javin,

As I just mentioned re. your other post, we’ll need some more context to be able to help you. Take a look at the tidyverse.org/help page, perhaps. It provides some useful tips for how to write a question to maximise your chances of getting a meaningful answer!



As mention in the other post, we are running a web vulnerability scan and we realized the cookie csrf-token is set to HTTPOnly = fasle. Is this a requirement for R Studio Server to run? The implication is If this flag is not set, then the browser will allow client-side script to access the cookie. As a result, the cookie becomes vulnerable to theft by malicious script. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie’s value