We used to set httpOnly to be false of the xsrf token set by the server so that our javascript can read it and attached it to the request header. However, our security team prohibits any cookie to be httpOnly false.
Our backend only returns json data and does not render any client-side html. Is there an alternative way to include the xsrf token in our request header?
Thanks.
The csrf token cookie is an obvious exception from the httpOnly requirement. Your security department should allow this, as double posting is a standard, owasp-supported protection against csrf. There is no way to do this with a httpOnly cookie, that's the point.
If they insist (which doesn't make any sense), you will have to choose a different method, for example synchronizer tokens.
