Bolt security

Insecure Cookie Configuration in Bolt Application

Your Bolt.new application stores authentication tokens or session data in cookies without proper security attributes. Missing HttpOnly, Secure, and SameSite flags leave your users' sessions vulnerable to theft through XSS attacks, man-in-the-middle interception, and cross-site request forgery.

When Bolt generates authentication code, it may set cookies using basic document.cookie assignments or use a cookie library with default (insecure) settings. This means session tokens can be read by JavaScript (enabling XSS-based theft), transmitted over unencrypted HTTP connections, and sent along with cross-site requests.

An attacker who steals a session cookie can impersonate any user on your platform, access their data, make purchases on their behalf, or escalate privileges to admin accounts. This is a silent vulnerability that leaves no trace until it's exploited.

Error Messages You Might See

Warning: Cookie set without HttpOnly flag Cookie rejected due to SameSite=None without Secure Set-Cookie header ignored: must be Secure when SameSite=None Mixed Content: cookie will be blocked in future browser versions
Warning: Cookie set without HttpOnly flagCookie rejected due to SameSite=None without SecureSet-Cookie header ignored: must be Secure when SameSite=NoneMixed Content: cookie will be blocked in future browser versions

Common Causes

  • Missing HttpOnly flag — Cookies are readable by JavaScript via document.cookie, so any XSS vulnerability can steal session tokens
  • Missing Secure flag — Cookies are sent over unencrypted HTTP connections, allowing interception on public WiFi networks
  • SameSite not set to Strict or Lax — Cookies are sent with cross-site requests, enabling CSRF attacks
  • Cookies set from client-side JavaScript — Using document.cookie or js-cookie instead of setting cookies from the server with proper flags
  • Overly broad cookie domain or path — Cookies scoped to a parent domain or root path, making them accessible to other subdomains or paths that may be compromised

How to Fix It

  1. Set cookies from the server — Use Set-Cookie headers from your API routes instead of document.cookie: res.setHeader('Set-Cookie', `token=${value}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=86400`)
  2. Enable HttpOnly — This prevents JavaScript from accessing the cookie, blocking XSS-based theft entirely
  3. Enable Secure flag — Ensures cookies are only sent over HTTPS connections, preventing interception
  4. Set SameSite to Lax or Strict — Lax allows cookies on top-level navigations (links), Strict blocks all cross-site cookie sending
  5. Use a session library — Install iron-session or next-auth which handle secure cookie configuration by default
  6. Set proper expiration — Use Max-Age or Expires instead of session cookies for persistent login, and set reasonable timeouts

Real developers can help you.

Matt Butler Matt Butler Software Engineer @ AWS legrab legrab I'll fill this later PawelPloszaj PawelPloszaj I'm fronted developer with 10+ years of experience with big projects. I have small backend background too Kingsley Omage Kingsley Omage Fullstack software engineer passionate about AI Agents, blockchain, LLMs. Dor Yaloz Dor Yaloz SW engineer with 6+ years of experience, I worked with React/Node/Python did projects with React+Capacitor.js for ios Supabase expert MFox MFox Full-stack professional senior engineer (15+years). Extensive experience in software development, qa, and IP networking. Taufan Taufan I’m a product-focused engineer and tech leader who builds scalable systems and turns ideas into production-ready platforms. Over the past years, I’ve worked across startups and fast-moving teams, leading backend architecture, improving system reliability, and shipping products used by thousands of users. My strength is not just writing code — but connecting product vision, technical execution, and business impact. Yovel Cohen Yovel Cohen I got a lot of experience in building Long-horizon AI Agents in production, Backend apps that scale to millions of users and frontend knowledge as well. Antriksh Narang Antriksh Narang 5 years+ Experienced Dev (Specially in Web Development), can help in python, javascript, react, next.js and full stack web dev technologies. Simon A. Simon A. I'm a backend developer building APIs, emulators, and interactive game systems. Professionally, I've developed Java/Spring reporting solutions, managed relational and NoSQL databases, and implemented CI/CD workflows.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

What is the difference between HttpOnly, Secure, and SameSite?

HttpOnly prevents JavaScript access to the cookie (blocks XSS theft). Secure ensures the cookie is only sent over HTTPS. SameSite controls whether cookies are sent with cross-site requests (blocks CSRF). You need all three for proper security.

Should I use localStorage or cookies for auth tokens?

Cookies with HttpOnly and Secure flags are safer for auth tokens because JavaScript cannot access them, making XSS attacks ineffective. localStorage is readable by any script on the page, so a single XSS vulnerability exposes all tokens.

Related Bolt Issues

Missing Input Sanitization in Bolt App Forms

security

Environment Variables Exposed in Bolt Client Bundle

security

SQL Injection in Bolt AI-Generated Database Queries

security

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help