no-cookies
Disallow client-side cookie usage patterns that increase session and data risk.
Targeted pattern scopeโ
This rule targets browser cookie read and write patterns, including direct
access to document.cookie.
What this rule reportsโ
This rule reports cookie usage in client code where safer or less exposed storage patterns are preferred.
Why this rule existsโ
Cookies are frequently sent over network requests and can expand leakage and tampering risk when misconfigured.
โ Incorrectโ
document.cookie = `sessionToken=${token}; path=/`;
โ Correctโ
localStorage.setItem("sessionToken", token);
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-cookies": "error",
},
},
];
When not to use itโ
Disable this rule when application requirements mandate cookie-backed sessions with hardened attributes and server controls.
Package documentationโ
Further readingโ
Rule catalog ID: R006