Token stealing hasn't been a real danger for a decade now. If you don't mark you... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		j-krieger 22 days ago \| parent \| context \| favorite \| on: We pwned X, Vercel, Cursor, and Discord through a ... Token stealing hasn't been a real danger for a decade now. If you don't mark your token's as non-HTTP you're doing something explicitely wrong, because 99% of backends nowadays do this for you.

collinmanderson 22 days ago [–]

with http-only they can't _steal_ the cookie, but they can still _use_ the cookie. It reduces the impact but doesn't fully solve it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact