HTTPOnly cookie possible?

[Xzandro]

So, i tried to use the authentication and it worked pretty great for the most part. But when I set httpOnly for the cookies, it will not be set. What would be the reason for that? I would unterstand, that the client does not have access to that cookie, but not sure if we would need to have access anyway? I'm just worried about potential security risks.

When I try this, it works:

cookie: {
    maxAge: 14 * 24 * 60 * 60,
    secure: process.env.NODE_ENV === 'production',
    sameSite: true
}

But when I add httpOnly, then the cookie is not set. Does not work:

cookie: {
    httpOnly: true,
    maxAge: 14 * 24 * 60 * 60,
    secure: process.env.NODE_ENV === 'production',
    sameSite: true
}

I also tried various other things, like settings sameSite to lax etc. Everything works, until I set httpOnly to true.

[rrubio]

I'm having the same issue. Have you had any luck @Xzandro ?

Versions -

• NuxtJS 3 &
• Strapi 4.13.6
• NodeJS v18.16.0

nuxt.config.ts (strapi)

  runtimeConfig: {
    recaptcha: {
      secret_key: process.env.RECAPTCHA_SECRET_KEY,
    },
    public: {
      recaptcha: {
        site_key: process.env.RECAPTCHA_SITE_KEY,
      },
      media: {
        url: process.env.STRAPI_URL,
      },
      strapi: {
        url: process.env.STRAPI_URL,
        prefix: '/api',
        version: 'v4',
        cookieName: 'strapi_jwt',
        cookie: {
          path: '/',  
          httpOnly: true,            
        },
      },
    }
  },

[Xzandro]

I do not. I just went without HTTP only for now. I set secure in production for the cookie tho. Still not sure how bad it currently is, but I suspect, that we somehow get the cookies via JS on the client side and thus HTTP only is not possible, not sure.