Well, you should be using `httpOnly` cookies (i.e. unusable from the browser) an... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		hombre_fatal on April 9, 2020 \| parent \| context \| favorite \| on: Why I’m Leaving Elm Well, you should be using `httpOnly` cookies (i.e. unusable from the browser) and setting them from the server. Your browser client will automatically send them. document.cookie is a security vulnerability that's hard to find in any respectable documentation. It's up there with sql string concatenation.

jfkebwjsbx on April 9, 2020 [–]

SQL string concatenation is fine. You mean parameter concatenation (into the query string).

hombre_fatal on April 9, 2020 | [–]

Call it whatever you want, but everyone knows what "SQL string concatenation" is referring to wrt injection. I don't think a finer point is necessary.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact