Skip to main content

no-cookies

Disallow client-side cookie usage patterns that increase session and data risk.

Targeted pattern scopeโ€‹

This rule targets browser cookie read and write patterns, including direct access to document.cookie.

What this rule reportsโ€‹

This rule reports cookie usage in client code where safer or less exposed storage patterns are preferred.

Why this rule existsโ€‹

Cookies are frequently sent over network requests and can expand leakage and tampering risk when misconfigured.

โŒ Incorrectโ€‹

document.cookie = `sessionToken=${token}; path=/`;

โœ… Correctโ€‹

localStorage.setItem("sessionToken", token);

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-cookies": "error",
},
},
];

When not to use itโ€‹

Disable this rule when application requirements mandate cookie-backed sessions with hardened attributes and server controls.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R006