My frontend reads the JWT from the cookie — what do I do?

Stop. Keep the JWT server-side-only. Have your API read the cookie via `cookies()` in route handlers and return just the data the frontend needs. The frontend never needs the raw token.

Medium severity

How to fix cookies without the HttpOnly flag

Your session or auth cookie is missing the `HttpOnly` attribute. Without it, any JavaScript running on your site can read the cookie — including malicious scripts injected via XSS. For session tokens, JWTs, or CSRF tokens, HttpOnly should always be set. The fix is one attribute: `; HttpOnly`. Add it wherever you set cookies.

Why it matters

HttpOnly is the defense that assumes XSS will happen. Even if an attacker injects a script, they cannot exfiltrate a cookie marked HttpOnly. CSP plus HttpOnly cookies is the gold standard.

How to check

01DevTools → Application → Cookies: check HttpOnly column.
02If your session cookie has HttpOnly unchecked, it is readable by any script.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Next.js

Set httpOnly: true on every session/auth cookie.

cookies().set({
  name: 'session',
  value: token,
  httpOnly: true,
  secure: true,
  sameSite: 'lax',
});

Generic

Add `HttpOnly` to session/auth cookies.

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

Find every place my app sets cookies. For cookies that store session tokens, JWTs, or auth state, add HttpOnly. For cookies that my client-side code needs to read (user preferences, theme), leave HttpOnly off but tell me which ones those are and confirm they do not contain sensitive data.

FAQ

Frequently asked questions

My frontend reads the JWT from the cookie — what do I do?: Stop. Keep the JWT server-side-only. Have your API read the cookie via `cookies()` in route handlers and return just the data the frontend needs. The frontend never needs the raw token.

Related fix guides

Fix these too

Cookie missing Secure flag

Cookies without the Secure flag can be sent over HTTP, leaking session tokens to anyone on the same network. Here is how to set it.

Cookie missing SameSite

SameSite controls whether cookies are sent on cross-site requests — the main defense against CSRF. Here is how to set it.

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Learn the concepts

Glossary

Cross-Site Scripting

XSS is an attack where malicious JavaScript gets injected into your site and runs in other users' browsers. CSP and input sanitization are the main defenses.

Free tools

Check this yourself

Cookie audit

Check Secure, HttpOnly, and SameSite flags on every cookie.

Platform guides

Building on these platforms?

Next.js security

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.