How to add httponly true in the csrftoken cookie

Hii all,
For security purpose i want to add httponly true in the csrftoken cookie
Anyone know that from where we can add httponly true in the csrf token cookie ?
Did it affected to the other functions?
please guide me on what can I do. Thanks in Advance :slightly_smiling_face:

CSRF tokens need to be available to Javascript in order to send as part of form submissions, so they cannot be made httponly.

1 Like

Thanks @Tim_McCormack for the reply
But this may cause of certain client-side attacks, such as cross-site scripting and trivially capturing the cookie’s value via an injected script.
so it is okay to not make httponly to this cookie?

Think of what CSRF prevention is designed for: To prevent pages on other sites from making cross-origin requests that carry “ambient authority” (session cookies, TLS client certs, HTTP Auth). In the XSS scenario you describe, the malicious request would be coming from the same site, so CSRF prevention is already irrelevant. Therefore, the CSRF token does not need protection from Javascript. In fact, many frameworks don’t convey the CSRF token as a cookie at all, and just embed it as a value in the HTML itself.

[EDIT: Missing word “prevention” in the first sentence.]