score:0

 res.cookie('x-auth-token',token,{
      maxage: 3600,
      httponly: true,
      secure:true
    })

score:2

if you take a close look at your screenshot, you can see that the cookie is sent by the server as httponly. this is a security measure, and therefore the cookie isn't accessible to any javascript code by design.

see https://developer.mozilla.org/en-us/docs/web/http/cookies#restrict_access_to_cookies

if you are in control of the server, you could change it accordingly, if not you will have to make a deal :-)


Related Query

More Query from same tag