How We Made Revolink More Secure β Without You Having to Do Anything
We moved sensitive session data from browser storage to httpOnly cookies. Here's what changed, why it matters, and what it means for your account security.
Security Updates Shouldn't Require a Support Ticket
Most security improvements in software are invisible. A dependency gets patched, a configuration gets hardened, an attack vector gets closed. Users never know. Their accounts are safer than they were yesterday, and they didn't have to do a thing.
This update is in that category β but it's significant enough that we want to explain what changed and why it matters.
We moved sensitive session data out of browser storage and into httpOnly cookies. Here's what that means in plain language.
The Problem with Storing Tokens in the Browser
When you log into a web application, the server issues an authentication token β essentially a digital key that proves you're you. That token needs to be stored somewhere on the client side so the app can include it with every subsequent request.
The common approach is to store it in the browser's localStorage or in a regular JavaScript-accessible cookie. It's simple to implement and works well in the straightforward case. The problem is exposure.
LocalStorage and regular cookies are fully accessible to any JavaScript running on the page. That's fine when the only JavaScript on the page is yours. It becomes a serious problem when it isn't.
Cross-site scripting (XSS) is one of the most common web vulnerabilities. It allows an attacker to inject malicious JavaScript into a page β through a compromised third-party script, a browser extension, a content injection flaw, or other vectors. Once malicious JavaScript is running, it can read everything in localStorage and all non-httpOnly cookies, including your authentication token. With that token, an attacker can impersonate you until it expires.
This isn't a theoretical concern. XSS is consistently in the OWASP Top 10 most critical web application security risks, and token theft via XSS is a real attack that happens to real products.
What httpOnly Cookies Do Differently
HttpOnly is a flag on a cookie that tells the browser: this cookie cannot be accessed by JavaScript, period. It's set by the server, transmitted automatically with every request, and completely invisible to any script running on the page.
The practical effect: even if malicious JavaScript runs on the page, it cannot read the authentication token. The attack surface for token theft via XSS is eliminated.
The session still works exactly the same from your perspective. You log in, you stay logged in, everything functions as before. The difference is entirely in how the token is stored and protected β server-side enforcement rather than application-level convention.
What Else Changed
Alongside the httpOnly cookie migration, we also tightened several related security properties:
SameSite protection β cookies now include the SameSite attribute, which prevents them from being sent in cross-site requests. This closes a separate class of attacks known as CSRF (cross-site request forgery), where a malicious site tricks your browser into making authenticated requests to Revolink on your behalf.
Secure flag β cookies are now marked Secure, meaning they're only transmitted over HTTPS connections. No fallback to unencrypted HTTP where tokens could be intercepted.
Scoped to domain β cookies are scoped precisely to the Revolink domain, limiting exposure to exactly the contexts where they're needed.
What This Means for You
Practically speaking: nothing changes on your end. You don't need to log out and back in. You don't need to update any settings. Your links, analytics, and workspace data are all exactly where you left them.
What changed is the underlying security posture of your account. Your session token is now protected in a way that JavaScript β including any malicious JavaScript that might end up running on the page β cannot reach.
For teams using Revolink to manage campaign links, QR codes, and routing rules, this matters. The links you manage often control where real traffic goes. Keeping your account secure means keeping that control where it belongs: with you.
Security Is Ongoing
This update is one part of a broader commitment to making Revolink a platform teams can trust with their marketing infrastructure.
Security improvements don't always come with announcements. Many are silent β patches, hardening, monitoring improvements that happen in the background. But when a change is architecturally significant, we think it's worth being transparent about what changed and why.
Your account is more secure today than it was before this update. That's the point.
Related Topics:
Revolink Team
Content writer at Revolink, covering topics on link management, marketing automation, and growth strategies.
Route Smarter. Convert More.
Stop sending everyone to the same page. Route by location, device, and time β free forever on the free plan, no credit card required.
Start for Free β No Card RequiredFree plan Β· No credit card Β· Cancel anytime