Use HttpOnly attribute for prohibiting access from JavaScript.

xirc · xirc · commit 6123d5702673 · 2020-09-28T19:58:41.000+09:00
diff --git a/app.py b/app.py
@@ -6,7 +6,7 @@
 @app.route('/index/', methods=["GET"])
 def index():
     response = make_response("Here, take some cookie!")
-    response.headers["Set-Cookie"] = "my-first-cookie=some-cookie-value"
+    response.headers["Set-Cookie"] = "my-first-cookie=some-cookie-value; HttpOnly"
     return response
 
 
