Securityintermediate

HTTP-only Cookie

A cookie that can only be accessed by the server, not by JavaScript running in the browser, providing enhanced security.

Detailed Explanation

An HTTP-only Cookie is a browser cookie with a special flag that prevents JavaScript from reading or modifying it. Only the browser and server can access it — code running on the page (including malicious scripts) cannot.

This is critical for security because Refresh Tokens are stored in HTTP-only cookies. Even if an attacker injects malicious JavaScript into your page (an XSS attack), they cannot steal the refresh token because document.cookie won't include it.

The flow works like this:

  1. User logs in → Supabase sets a refresh token as an HTTP-only cookie
  2. Browser automatically includes the cookie with every request to Supabase
  3. JavaScript code cannot read the cookie value
  4. When the Access Token expires, the browser sends the cookie to Supabase to get a new one

This is more secure than storing tokens in localStorage or regular cookies, which are accessible to any JavaScript code. Supabase handles HTTP-only cookies automatically — you don't need to configure anything.

HTTP-only cookies work alongside HTTPS to provide defense in depth: HTTPS encrypts the cookie in transit, and the HTTP-only flag prevents access from scripts.

Back to Glossary

Ready to Build Something Real?

We give you the skills to build, deploy, and own a full product. Professional stack, AI co-pilot, no coding background required.

Start Learning FreeHire Us to Build It