To mitigate these attacks, you have to set flags on the
set-cookie HTTP header:
- secure – this attribute tells the browser to only send the cookie if the request is being sent over HTTPS.
So it would look something like this:
Set-Cookie: sid=<cookie-value>; HttpOnly. If you are using Express, with express-cookie session, it is working by default.
Also See : How can you avoid callback hells?