eslint-plugin-jwt-cookies

ESLint rules that harden auth-cookie + password-hashing defaults:

• auth-cookie-must-be-httponly — auth cookies must set httpOnly: true (or spread a trusted cookie-config helper). JS-readable session cookies leak via XSS.
• auth-cookie-must-be-secure-in-prod — auth cookies must set secure: to true or an env-derived expression. Cookies leak over plain HTTP without it.
• bcrypt-rounds-min — bcrypt.hash / hashSync must use a rounds value at least minRounds (default 10).

This plugin is defense in depth. The cookie-config helper pattern (AUTH_COOKIE_CONFIG) is the primary safeguard — these rules enforce that the helper is actually used, and that ad-hoc cookie writes don't quietly bypass it.

Install

pnpm add -D @boring-stack-pkg/eslint-plugin-jwt-cookies

Peer deps: eslint >= 8.57, @typescript-eslint/parser >= 8, typescript >= 5.

Use (flat config)

import tsParser from "@typescript-eslint/parser";
import jwtCookies from "@boring-stack-pkg/eslint-plugin-jwt-cookies";

export default [
  {
    files: ["**/*.{ts,tsx}"],
    languageOptions: { parser: tsParser },
    plugins: { "jwt-cookies": jwtCookies },
    rules: {
      "jwt-cookies/auth-cookie-must-be-httponly": "error",
      "jwt-cookies/auth-cookie-must-be-secure-in-prod": "error",
      "jwt-cookies/bcrypt-rounds-min": ["error", { minRounds: 12 }],
    },
  },
];

Or use the bundled config:

import jwtCookies from "@boring-stack-pkg/eslint-plugin-jwt-cookies";

export default [jwtCookies.configs.recommended];

Rules

| Rule | Description | Fixable | | ---------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | ------- | | auth-cookie-must-be-httponly | Auth cookies must set httpOnly: true | – | | auth-cookie-must-be-secure-in-prod | Auth cookies must set secure: (literal true or env expression) | – | | bcrypt-rounds-min | bcrypt.hash rounds must meet a minimum | – |

License

MIT.