Why use httpOnly for JWT cookies?
Scripts cannot read the cookie. This protects against XSS-driven token theft. Without httpOnly, any script (including injected ones) can read the token and send it to an attacker.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in How to Securely Store JWT in Cookies
Set httpOnly: true (no script access), secure: true (HTTPS only), sameSite: 'lax' or 'strict' (CSRF protection), and maxAge matching the JWT expiry. Clear with the same options on logout.
The cookie is only sent over HTTPS. Without secure, the cookie is sent over HTTP too, and a man-in-the-middle can read it. Always use HTTPS in production.
Controls when the cookie is sent on cross-site requests. 'strict' never sends it cross-site (strongest CSRF protection). 'lax' sends it on top-level navigations (good balance). 'none' always sends it (requires secure: true; use only for third-party embeds).
Still have questions?
Browse all our FAQs or reach out to our support team
