Http-only cookies

altimetry-cosmologi9 · June 2, 2022, 12:03pm

Hi
I’m sending a request from postman to my rest API
in the request header, I’m setting a cookie that holds an access token string and setting it as http-only

like this:

however, when i send it and inspect the console view i can see the cookie value

Is this valid? cause from what I know when setting the http-only attribute only the server has access to the cookie content.

is this just because I’m using postman ?

thanks for the help

w4dd325 · June 2, 2022, 4:20pm

Hi @altimetry-cosmologi9

From my (very limited) understanding, it looks right …

HttpOnly - If present, the cookie won’t be accessible to the client-side scripts run on the page (for example, with document.cookie in JavaScript). The cookie will only be added to the cookie header in requests that are made. This field does not have an effect on Postman’s behavior.

I could be wrong though as I don’t know that much about cookies.

Topic		Replies	Views
Lower case set-cookie header not honoured by Postman 🗣 General Discussion header	3	2563	August 27, 2020
How to clear cookie after an Request 🙋 Help cookies	5	12535	August 24, 2023
Can't read httponly cookie in postman 🙋 Help cookie	0	642	February 21, 2023
How does Postman retrieve cookies from the server? 🙋 Help api	0	641	February 9, 2022
Auto Generated Cookie Header 🙋 Help header , cookies	3	4181	October 16, 2020

Http-only cookies

Related topics