documentCookies
Reports uses of
document.cookiewhich can be error-prone and has security implications.
✅ This rule is included in the browser logical preset.
Direct use of document.cookie for reading and writing cookies is error-prone and has security implications.
The document.cookie API requires manual string parsing and formatting, which is tedious and can lead to bugs with encoding, expiration dates, and security flags.
Modern cookie management should be performed through dedicated libraries or the Cookie Store API, which provide better ergonomics and security.
Examples
Section titled “Examples”const sessionId = document.cookie .split("; ") .find((row) => row.startsWith("session=")) ?.split("=")[1];
document.cookie = "theme=dark";
document.cookie = `user=${userId}; expires=${expiryDate.toUTCString()}`;const sessionId = await cookieStore.get("session");
await cookieStore.set("theme", "dark");
await cookieStore.set({ name: "user", value: userId, expires: expiryDate.getTime(),});Options
Section titled “Options”This rule is not configurable.
When Not To Use It
Section titled “When Not To Use It”If you need to support older browsers that do not have access to the Cookie Store API or cookie management libraries, you might need to use document.cookie directly.
However, for most modern applications, prefer using proper cookie management abstractions.
Further Reading
Section titled “Further Reading”Equivalents in Other Linters
Section titled “Equivalents in Other Linters”- Biome:
noDocumentCookie - ESLint:
unicorn/no-document-cookie - Oxlint:
unicorn/no-document-cookie