Protected from **XSS** — JavaScript cannot access httpOnly cookies, so even injected scripts cannot steal the token - Vulnerable to **CSRF** — the browser automatically sends cookies with requests, so a malicious site could trigger authenticated requests (mitigated with CSRF tokens or `SameSite` coo