Javascript Security

• Environmental Variable: COOKIE_HTTP_ONLY
• Config File Key: cookie_http_only
• Type: bool
• Default: true

If true, prevents javascript in browsers from reading user session cookies.

danger

Setting this to false enables hostile javascript to steal session cookies and impersonate users.