Will It Vibe logoWill It Vibe?
AUTHZ-023Medium severity-8 points

Auth token written to a script-readable cookie

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A token is written via document.cookie, which sets a cookie readable by JavaScript with no HttpOnly flag possible, leaving it exposed to XSS.

Why it matters

Setting a token through document.cookie creates a cookie that JavaScript can read, because a cookie written from script cannot carry the HttpOnly flag. That leaves the token exposed to cross-site scripting just as web storage would. Cookies meant to hold session or auth tokens should be set by the server with HttpOnly.

How to fix it

Set auth and session cookies from the server response with the HttpOnly, Secure, and SameSite attributes, not from client JavaScript. Remove the document.cookie assignment for the token. If the browser needs to know it is logged in, expose a separate non-sensitive flag rather than the token itself.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks