Securityintermediate

HTTP-only Cookie

A cookie that can only be accessed by the server, not by JavaScript running in the browser, providing enhanced security.

Detailed Explanation

An HTTP-only Cookie is a browser cookie with a special flag that prevents JavaScript from reading or modifying it. Only the browser and server can access it — code running on the page (including malicious scripts) cannot.

This is critical for security because Refresh Tokens are stored in HTTP-only cookies. Even if an attacker injects malicious JavaScript into your page (an XSS attack), they cannot steal the refresh token because document.cookie won't include it.

The flow works like this:

  1. User logs in → Supabase sets a refresh token as an HTTP-only cookie
  2. Browser automatically includes the cookie with every request to Supabase
  3. JavaScript code cannot read the cookie value
  4. When the Access Token expires, the browser sends the cookie to Supabase to get a new one

This is more secure than storing tokens in localStorage or regular cookies, which are accessible to any JavaScript code. Supabase handles HTTP-only cookies automatically — you don't need to configure anything.

HTTP-only cookies work alongside HTTPS to provide defense in depth: HTTPS encrypts the cookie in transit, and the HTTP-only flag prevents access from scripts.

Back to Glossary
Free forever

Start building software you actually own.

Learn the concepts, fix things with confidence, and ship real products with AI beside you. No coding background required, and we're with you from the first idea to launch.

Free to start. No card. Leave whenever you want.

Start learning freeJoin the community