Supabase SSR + Middleware + HttpOnly Cookies?
Hello
I’m currently working on my thesis project, it’s a patient record management system with appointment scheduling (using Next.js + Supabase).
I ran into an issue: the Supabase cookies aren’t set as HttpOnly, which makes me worried about security.
My question is:
Is there a way to still use Supabase SSR with middleware and have the cookies set as HttpOnly?
Or am I missing something about how Supabase auth/session handling works in this setup?
I’m still pretty new to web dev, so any clarification, suggestions, or best practices would really help me a lot.
Thanks!
also
I just want to ask: how can I properly justify that using a cookie without the HttpOnly flag can still be considered secure, especially when dealing with sensitive data such as patient records?
2 Replies
In your context, I would absolutely use httponly for cookies.
I saw somewhere - on discord or github - where someone supposedly implemented that with nextjs. Just gotta make everything server-driven since you can't access the cookies in the browser.