Added a httponly option for HTMLResponse.set_cookie

solara/server/settings.py

@@ -132,6 +132,7 @@ class Config:
 
 class Session(BaseSettings):
     secret_key: str = SESSION_SECRET_KEY_DEFAULT
+    http_only: bool = False
     https_only: Optional[bool] = None
     same_site: str = "lax"
 

solara/server/starlette.py

@@ -444,6 +444,7 @@ async def root(request: Request, fullpath: str = ""):
     session_id = request.cookies.get(server.COOKIE_KEY_SESSION_ID) or str(uuid4())
     samesite = "lax"
     secure = False
+    httponly = settings.session.http_only
     # we want samesite, so we can set a cookie when embedded in an iframe, such as on huggingface
     # however, samesite=none requires Secure https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
     # when hosted on the localhost domain we can always set the Secure flag
@@ -469,6 +470,7 @@ async def root(request: Request, fullpath: str = ""):
         expires="Fri, 01 Jan 2038 00:00:00 GMT",
         samesite=samesite,  # type: ignore
         secure=secure,  # type: ignore
+        httponly=httponly,  # type: ignore
     )  # type: ignore
     return response