Backend safety

secure-cookies

Require httpOnly / secure / sameSite on `res.cookie` / `reply.setCookie` / `cookies().set`.

Session-shaped cookie names (`session`, `sid`, `next-auth.session-token`, `auth_token`, …) get a louder consolidated message; UI-flag cookies that carry a primitive value (`1`, `true`, short strings) are exempted from `missingHttpOnly` so demo code primitives don't dominate.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

res.cookie('session', token);

Good:

res.cookie('session', token, { httpOnly: true, secure: true, sameSite: 'lax' });

Related rules

• no-permissive-corsFlag `cors({ origin:"*", credentials:true })` and reflect-any-origin handlers.
• require-jwt-expiryRequire `expiresIn` on `jwt.sign(...)` and forbid `algorithm: "none"`.
• no-disabled-tlsFlag `rejectUnauthorized: false` and `NODE_TLS_REJECT_UNAUTHORIZED=0`.

Use it

Enable secure-cookies in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/secure-cookies': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules