From 4e188eb8d56c634bb7253f6def3a1a57ab585659 Mon Sep 17 00:00:00 2001
From: Kharec <sandro@cazzaniga.fr>
Date: Wed, 6 May 2026 20:07:35 +0200
Subject: [PATCH] test(middleware): expect CSRF cookie readable by script for
 header submit

---
 internal/middleware/csrf_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/middleware/csrf_test.go b/internal/middleware/csrf_test.go
index 2018152..3940758 100644
--- a/internal/middleware/csrf_test.go
+++ b/internal/middleware/csrf_test.go
@@ -242,8 +242,8 @@ func TestSetCSRFToken(t *testing.T) {
 		t.Errorf("Expected cookie value %s, got %s", token, cookie.Value)
 	}
 
-	if !cookie.HttpOnly {
-		t.Error("CSRF token cookie should be HttpOnly")
+	if cookie.HttpOnly {
+		t.Error("CSRF token cookie must not be HttpOnly so JS can mirror it to X-CSRF-Token")
 	}
 
 	if cookie.SameSite != http.SameSiteLaxMode {