From a8b756d7ad6ddb7546c9a2c250d00616bd4cffde Mon Sep 17 00:00:00 2001
From: dboni-liaisongroup <dboni@liaisongroup.com>
Date: Tue, 10 Jun 2025 12:11:08 +0100
Subject: [PATCH] docs(update): clarifies difference and relationship of
 httpOnly and secure flags.

---
 packages/kit/src/exports/public.d.ts | 20 ++++++++++++++++++++
 packages/kit/types/index.d.ts        | 20 ++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/packages/kit/src/exports/public.d.ts b/packages/kit/src/exports/public.d.ts
index ec930b7d073a..bbf2110afd91 100644
--- a/packages/kit/src/exports/public.d.ts
+++ b/packages/kit/src/exports/public.d.ts
@@ -228,6 +228,16 @@ export interface Cookies {
 	 *
 	 * The `httpOnly` and `secure` options are `true` by default (except on http://localhost, where `secure` is `false`), and must be explicitly disabled if you want cookies to be readable by client-side JavaScript and/or transmitted over HTTP. The `sameSite` option defaults to `lax`.
 	 *
+	 * The `httpOnly` and `secure` flags are <b>independent but complementary security</b> features for cookies. They protect against different types of vulnerabilities.
+	 * `httpOnly` vs `secure`:
+	 * `httpOnly` - Controls WHO can access the cookie:
+	 * - `true`: Only server can access (blocks client-side JavaScript)
+	 * - `false`: Both server and client-side JavaScript can access
+	 *
+	 *`secure` - Controls HOW the cookie is transmitted:
+	 * - `true`: Only sent over HTTPS connections
+	 * - `false`: Sent over both HTTP and HTTPS
+	 *
 	 * You must specify a `path` for the cookie. In most cases you should explicitly set `path: '/'` to make the cookie available throughout your app. You can use relative paths, or set `path: ''` to make the cookie only available on the current path and its children
 	 * @param name the name of the cookie
 	 * @param value the cookie value
@@ -253,6 +263,16 @@ export interface Cookies {
 	 *
 	 * The `httpOnly` and `secure` options are `true` by default (except on http://localhost, where `secure` is `false`), and must be explicitly disabled if you want cookies to be readable by client-side JavaScript and/or transmitted over HTTP. The `sameSite` option defaults to `lax`.
 	 *
+	 * The `httpOnly` and `secure` flags are <b>independent but complementary security</b> features for cookies. They protect against different types of vulnerabilities.
+	 * `httpOnly` vs `secure`:
+	 * `httpOnly` - Controls WHO can access the cookie:
+	 * - `true`: Only server can access (blocks client-side JavaScript)
+	 * - `false`: Both server and client-side JavaScript can access
+	 *
+	 *`secure` - Controls HOW the cookie is transmitted:
+	 * - `true`: Only sent over HTTPS connections
+	 * - `false`: Sent over both HTTP and HTTPS
+	 *
 	 * You must specify a `path` for the cookie. In most cases you should explicitly set `path: '/'` to make the cookie available throughout your app. You can use relative paths, or set `path: ''` to make the cookie only available on the current path and its children
 	 *
 	 * @param name the name of the cookie
diff --git a/packages/kit/types/index.d.ts b/packages/kit/types/index.d.ts
index 74d438a6f5cc..aa6f89dfd93f 100644
--- a/packages/kit/types/index.d.ts
+++ b/packages/kit/types/index.d.ts
@@ -209,6 +209,16 @@ declare module '@sveltejs/kit' {
 		 * Sets a cookie. This will add a `set-cookie` header to the response, but also make the cookie available via `cookies.get` or `cookies.getAll` during the current request.
 		 *
 		 * The `httpOnly` and `secure` options are `true` by default (except on http://localhost, where `secure` is `false`), and must be explicitly disabled if you want cookies to be readable by client-side JavaScript and/or transmitted over HTTP. The `sameSite` option defaults to `lax`.
+	   * 
+	   * The `httpOnly` and `secure` flags are <b>independent but complementary security</b> features for cookies. They protect against different types of vulnerabilities.
+	   * `httpOnly` vs `secure`:
+	   * `httpOnly` - Controls WHO can access the cookie:
+	   * - `true`: Only server can access (blocks client-side JavaScript)
+	   * - `false`: Both server and client-side JavaScript can access
+	   *
+	   *`secure` - Controls HOW the cookie is transmitted:
+	   * - `true`: Only sent over HTTPS connections
+	   * - `false`: Sent over both HTTP and HTTPS
 		 *
 		 * You must specify a `path` for the cookie. In most cases you should explicitly set `path: '/'` to make the cookie available throughout your app. You can use relative paths, or set `path: ''` to make the cookie only available on the current path and its children
 		 * @param name the name of the cookie
@@ -234,6 +244,16 @@ declare module '@sveltejs/kit' {
 		 * Serialize a cookie name-value pair into a `Set-Cookie` header string, but don't apply it to the response.
 		 *
 		 * The `httpOnly` and `secure` options are `true` by default (except on http://localhost, where `secure` is `false`), and must be explicitly disabled if you want cookies to be readable by client-side JavaScript and/or transmitted over HTTP. The `sameSite` option defaults to `lax`.
+	   * 
+	   * The `httpOnly` and `secure` flags are <b>independent but complementary security</b> features for cookies. They protect against different types of vulnerabilities.
+	   * `httpOnly` vs `secure`:
+	   * `httpOnly` - Controls WHO can access the cookie:
+	   * - `true`: Only server can access (blocks client-side JavaScript)
+	   * - `false`: Both server and client-side JavaScript can access
+	   *
+	   *`secure` - Controls HOW the cookie is transmitted:
+	   * - `true`: Only sent over HTTPS connections
+	   * - `false`: Sent over both HTTP and HTTPS
 		 *
 		 * You must specify a `path` for the cookie. In most cases you should explicitly set `path: '/'` to make the cookie available throughout your app. You can use relative paths, or set `path: ''` to make the cookie only available on the current path and its children
 		 *