Set auth cookie to httpOnly true for security

server/api/auth/login.post.ts

@@ -22,7 +22,7 @@ export default defineEventHandler(async (event) => {
   const token = await createJWT(user)
 
   setCookie(event, 'auth_token', token, {
-    httpOnly: false,
+    httpOnly: true,
     secure: process.env.NODE_ENV === 'production',
     sameSite: 'lax',
     maxAge: 7 * 24 * 60 * 60 // 7 days