您在正确的道路上！ Cookie应该始终具有 HttpOnly 标志，设置此标志将阻止JavaScript环境（在Web浏览器中）访问cookie。这是防止浏览器中XSS攻击的***方法。

You’re on the right path! The cookie should always have the HttpOnly flag, setting this flag will prevent the JavaScript environment (in the web browser) from accessing the cookie. This is the best way to prevent XSS attacks in the browser.

您还应该在生产环境中使用 Secure 标志，以确保Cookie仅通过HTTPS发送。

You should also use the Secure flag in production, to ensure that the cookie is only sent over HTTPS.

您还需要防止 CSRF 攻击。通常，这是通过在另一个Cookie中设置一个值来完成的，该值必须在每个请求中提供。

You also need to prevent CSRF attacks. This is typically done by setting a value in another cookie, which must be supplied on every request.

我在 Stormpath ，我们已经写了很多有关前端安全性的信息。这两篇文章可能有助于理解所有方面：

I work at Stormpath and we’ve written a lot of information about front-end security. These two posts may be useful for understanding all the facets:

单页应用（SPA）的基于令牌的身份验证

https://stormpath.com/blog/build-secure-user-interfaces-using-jwts/