From 2adf72c13876b4780e969663df863ddd9f14fc0f Mon Sep 17 00:00:00 2001
From: Kharec <sandro@cazzaniga.fr>
Date: Wed, 6 May 2026 20:07:00 +0200
Subject: [PATCH] fix(middleware): set CSRF cookie HttpOnly false for
 double-submit from JS

---
 internal/middleware/csrf.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/middleware/csrf.go b/internal/middleware/csrf.go
index 14df31d..29d2204 100644
--- a/internal/middleware/csrf.go
+++ b/internal/middleware/csrf.go
@@ -28,7 +28,7 @@ func SetCSRFToken(w http.ResponseWriter, r *http.Request, token string) {
 		Name:     CSRFTokenCookieName,
 		Value:    token,
 		Path:     "/",
-		HttpOnly: true,
+		HttpOnly: false,
 		Secure:   IsHTTPS(r),
 		SameSite: http.SameSiteLaxMode,
 		MaxAge:   3600,