A non HTTP-only cookie allows JavaScript on the page to read the session cookie, which may lead to session stealing in the case of an XSS.
package main
import (
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/session"
)
func main() {
app := fiber.New()
sess := session.New(session.Config{CookieHTTPOnly: false})
app.Use(sess)
}
package main
import (
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/session"
)
func main() {
app := fiber.New()
sess := session.New(session.Config{CookieHTTPOnly: true})
app.Use(sess)
}