- JWT stored in HttpOnly, Secure, SameSite=Strict cookie — JS cannot
read the token at all; SameSite=Strict prevents CSRF without tokens
- Non-sensitive user payload returned in response body and stored in
localStorage for UI purposes only (not usable for auth)
- Add POST /api/auth/logout endpoint that clears the cookie server-side
- Add SECURE_COOKIES env var (default true) for local HTTP testing
- Extract login.html inline script to login.js (CSP compliance)
- Remove Authorization: Bearer header from API calls; add credentials:
include so cookies are sent automatically
- CSP script-src includes unsafe-inline to support existing onclick
handlers throughout the app
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
derekc
59f9685e2b