In my Nuxt app, I’ve implemented custom authentication middleware and composables. On the backend (Spring Boot), my /login route sets a refreshToken as an HttpOnly cookie and returns an accessToken in the response body.
From my research, I understand that HttpOnly cookies should not be accessible via JavaScript on the client side. However, in my Nuxt custom composable useAuth(), I’m able to access the refreshToken using the useCookie(‘refreshToken’) composable — even though the cookie was set with the HttpOnly flag.
This behaviour confuses me. I was under the impression that such cookies are strictly inaccessible from JavaScript. Is Nuxt doing something under the hood that exposes these cookies? Or could this be a misconfiguration on my part?
Clarifications:
- I’m certain that my cookie is httpOnly from browser devtools