← all rules
code/js-cookie-httponly-false
Cookie set with httpOnly: false in auth context
What it detects
Auth/session cookies should always be HttpOnly so client-side scripts can't read them, eliminating cookie-stealing XSS. AI-generated cookie middleware often omits httpOnly or sets it to false to enable client JS reads.
How it runs
Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.