[Discussion] About securing the "secret" in cookie

[4auvar]

This is not an issue, I am creating this to just discuss my concern regarding securing the "secret" in cookie.

In the document understand CSRF, you have mentioned that make sure cookie sessions use httpOnly so the client can't read the secret via client-side JavaScript!

Concern: Do we actually need to secure the "secret" with httponly flag.

Now my point is, an attacker can read the response via client-side JavaScript by either CORS or XSS vulnerability. For now lets assume I as an attacker find an XSS on application. So as an attacker what I need is CSRF token and not "secret". And CSRF token will be present in either in response body or response header. So if I have an XSS vulnerability I can read the response and could get the CSRF token directly. So what is the point of securing the "Secret".

Let me know if I have any wrong understanding.

[iwaduarte]

I am late to the party but assuming you have XSS you not secure anyway. It is like to ask, what if someone breaks in my house and my locker is missing 'X' feature?
Did you get the idea? The house is already compromised any other assumptions it will be therefore invalid.

Also to add a point to newest comers CSRF Tokens SHOULD NOT been stored in cookies. Would defeat the whole purpose of security.

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#Protecting_REST_Services:_Use_of_Custom_Request_Headers