npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

cookie-httponly

v1.0.3

Published

Protecting Your Cookies

Downloads

47

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

woodgerwoodger

Keywords

cookiehttponly

Readme

Cookie HttpOnly

License Build Status Build status Coverage Status Known Vulnerabilities

Restricting access to cookies is essential for security in many web apps. For example, the session ID, the secret token used to identify a particular session, is typically stored in a cookie.

Cookies HttpOnly is a Node.js® module for getting and setting HTTP(S) cookies with the HttpOnly flag set and strict security policy. This module implemented by following the RFC 6265 Standard.

Getting Started

Installation

To use Cookie HttpOnly in your project, run:

npm i cookie-httponly

Configure Nginx

Setting location up Nginx as proxy for Nodejs application:

location @nodejs {
  proxy_pass http://localhost:8080;
  proxy_http_version 1.1;
  proxy_set_header Host $host:$server_port;
  proxy_set_header IP $remote_addr;
}

API docs

Table of Contents

class Cookie

class: Cookie

This class implemented by following the ECMAScript® 2018 Language Specification Standard. To use this module:

const Cookie = require('cookie-httponly');

constructor: new Cookie(request, response)

const http = require('http');
const Cookie = require('cookie-httponly');

http.createServer((req, res) => {
  const cookie = new Cookie(req, res);
  res.end();
})
.listen(8080);

When the class instance is initialized successfully, the HTTP headers are read and parsed. The resulting values are available from the cookie.entries field.

The connection must be established from the domain name (i.e., not an IP address)

cookie.has(name)

  • name <String>
  • returns: <Boolean> A true if an element with the specified key exists in the cookie.entries; otherwise false.

The method returns a Boolean value indicating whether or not an element with the specified key name exists from the cookie.entries field.

cookie.get(name)

  • name <String>
  • returns: <String | undefined> A string if an element with the specified key exists in the cookie.entries; otherwise undefined.

The method returns the value of the specified name from the cookie.entries field.

cookie.set(name, value[, options])

  • name <String> Invalid characters will be deleted or escaped.

  • value <String> Invalid characters will be deleted or escaped.

  • options <Object>

    • domain <String> The domain option specifies those hosts to which the cookie will be sent. For example, if the value of the domain option is 'example.com', the user agent will include the cookie in the Cookie header when making HTTP(S) requests to 'example.com', 'www.example.com', and 'www.corp.example.com'.

      NOTE That a leading '.', if present, is ignored even though that character is not permitted, but a trailing '.', if present, will cause the user agent to ignore the attribute.

      If the server omits the domain options, the user agent will return the cookie only to the origin server. Domain matching the string is a host name (i.e., not an IP address). Default: cookie.domain.

    • path <String> Cookie path, use '/' as the path if you want your cookie to be accessible on all pages. Default: '/'.

    • expires <Date> The Expires attribute indicates the date and time at which the cookie expires. Default: current session.

    NOTE Typical session identifier might reasonably be set to expire in two weeks.

  • returns: <undefined>

Installing HTTP(S) headers. Note that setting headers does not mean the appearance of values in the cookie.entries field. With the https secure connection, the method will automatically add the security flag to the headers.

An example of setting the headers to record cookies for 1 year.

const http = require('http');
const Cookie = require('cookie-httponly');

http.createServer((req, res) => {
  const cookie = new Cookie(req, res);
  let forYear = new Date();

  cookie.set('user', '84b7e44aa54d002eac8d00f5bfa9cc93410f2a48', {
    expires: forYear.setUTCFullYear(forYear.getUTCFullYear() + 1)
  });

  res.end();
})
.listen(8080);

To send headers for remove of cookies by name, simply set the header with the begin date and time.

const http = require('http');
const Cookie = require('cookie-httponly');

http.createServer((req, res) => {
  const cookie = new Cookie(req, res);

  cookie.set('user', '', {
    expires: new Date(0) // Thu, 01 Jan 1970 00:00:00 GMT
  });

  res.end();
})
.listen(8080);

cookie.request

cookie.response

cookie.entries

  • <Map> The values of the incoming cookie.

cookie.domain

  • <String> The value is set when creating an instance of the class from the request.headers field of the current connection. The connection must be established from the domain name (i.e., not an IP address).

cookie.secure

  • <Boolean> true if the current session has a secure connection; otherwise false.

You can override the properties cookie.domain and cookie.secure.