Use HTTPS and secure, httpOnly, sameSite cookies

Use HTTPS and secure, httpOnly, sameSite cookies | BeforeMerge Rules | BeforeMerge

Why this matters

Without HTTPS, credentials and session tokens travel in the clear and can be intercepted. HttpOnly blocks JS access (mitigating XSS theft), Secure keeps cookies off plaintext channels, and SameSite reduces CSRF exposure.

// Bad: defaults — readable by JS, sent over HTTP
res.cookie("sid", token);
 
// Good: hardened cookie flags
res.cookie("sid", token, { httpOnly: true, secure: true, sameSite: "lax" });

Why This Matters

Related Rules

Catch this automatically on every PR

Why this matters