MDN Series
CORS https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS Cookies https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies - You can ensure that cookies are sent securely and aren't accessed by unintended parties or scripts in one of two ways: with the Secure attribute and the HttpOnly attribute. - Secure - A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily. - HttpOnly - A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it's only sent to the server. For example, cookies that persist in server-side sessions don't need to be available to JavaScript and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks. This does not mean HttpOnly cookies are not sent with XHR requests. TODO CSRF, XSS, Cac...