Hi
I’m sending a request from postman to my rest API
in the request header, I’m setting a cookie that holds an access token string and setting it as http-only

like this:

image847×418 16 KB

however, when i send it and inspect the console view i can see the cookie value

Is this valid? cause from what I know when setting the http-only attribute only the server has access to the cookie content.

is this just because I’m using postman ?

thanks for the help

Hi @altimetry-cosmologi9

From my (very limited) understanding, it looks right …

• HttpOnly - If present, the cookie won’t be accessible to the client-side scripts run on the page (for example, with document.cookie in JavaScript). The cookie will only be added to the cookie header in requests that are made. This field does not have an effect on Postman’s behavior.

I could be wrong though as I don’t know that much about cookies.