Hey there.
I assume you’re referring to the XSRF-TOKEN. This cookie is read by the web application, therefore it cannot be marked as HttpOnly. You can read a discussion about this here.\
If this is referring to another cookie, let us know.
2 Likes