Rename option "httpOnly" to "httponly" for consistency.

src/Http/Middleware/CsrfProtectionMiddleware.php

@@ -53,7 +53,7 @@ class CsrfProtectionMiddleware implements MiddlewareInterface
      *  - `expiry` A strotime compatible value of how long the CSRF token should last.
      *    Defaults to browser session.
      *  - `secure` Whether or not the cookie will be set with the Secure flag. Defaults to false.
-     *  - `httpOnly` Whether or not the cookie will be set with the HttpOnly flag. Defaults to false.
+     *  - `httponly` Whether or not the cookie will be set with the HttpOnly flag. Defaults to false.
      *  - 'samesite' "SameSite" attribute for cookies. Defaults to `null`.
      *    Valid values: `CookieInterface::SAMESITE_LAX`, `CookieInterface::SAMESITE_STRICT`,
      *    `CookieInterface::SAMESITE_NONE` or `null`.
@@ -66,7 +66,7 @@ class CsrfProtectionMiddleware implements MiddlewareInterface
         'cookieName' => 'csrfToken',
         'expiry' => 0,
         'secure' => false,
-        'httpOnly' => false,
+        'httponly' => false,
         'samesite' => null,
         'field' => '_csrfToken',
     ];
@@ -92,6 +92,11 @@ class CsrfProtectionMiddleware implements MiddlewareInterface
      */
     public function __construct(array $config = [])
     {
+        if (array_key_exists('httpOnly', $config)) {
+            $config['httponly'] = $config['httpOnly'];
+            deprecationWarning('Option `httpOnly` is deprecated. Use lowercased `httponly` instead.');
+        }
+
         $this->_config = $config + $this->_config;
     }
 
@@ -298,7 +303,7 @@ class CsrfProtectionMiddleware implements MiddlewareInterface
                 'expires' => $this->_config['expiry'] ?: null,
                 'path' => $request->getAttribute('webroot'),
                 'secure' => $this->_config['secure'],
-                'httponly' => $this->_config['httpOnly'],
+                'httponly' => $this->_config['httponly'],
                 'samesite' => $this->_config['samesite'],
             ]
         );

tests/TestCase/Http/Middleware/CsrfProtectionMiddlewareTest.php

@@ -367,7 +367,7 @@ class CsrfProtectionMiddlewareTest extends TestCase
             'cookieName' => 'token',
             'expiry' => '+1 hour',
             'secure' => true,
-            'httpOnly' => true,
+            'httponly' => true,
             'samesite' => CookieInterface::SAMESITE_STRICT,
         ]);
         $response = $middleware->process($request, $this->_getRequestHandler());
@@ -379,10 +379,32 @@ class CsrfProtectionMiddlewareTest extends TestCase
         $this->assertWithinRange(strtotime('+1 hour'), $cookie['expires'], 1, 'session duration.');
         $this->assertSame('/dir/', $cookie['path'], 'session path.');
         $this->assertTrue($cookie['secure'], 'cookie security flag missing');
-        $this->assertTrue($cookie['httponly'], 'cookie httpOnly flag missing');
+        $this->assertTrue($cookie['httponly'], 'cookie httponly flag missing');
         $this->assertSame(CookieInterface::SAMESITE_STRICT, $cookie['samesite'], 'samesite attribute missing');
     }
 
+    public function testUsingDeprecatedConfigKey()
+    {
+        $this->deprecated(function () {
+            $request = new ServerRequest([
+                'environment' => ['REQUEST_METHOD' => 'GET'],
+                'webroot' => '/dir/',
+            ]);
+
+            $middleware = new CsrfProtectionMiddleware([
+                'cookieName' => 'token',
+                'expiry' => '+1 hour',
+                'secure' => true,
+                'httpOnly' => true,
+                'samesite' => CookieInterface::SAMESITE_STRICT,
+            ]);
+            $response = $middleware->process($request, $this->_getRequestHandler());
+
+            $cookie = $response->getCookie('token');
+            $this->assertTrue($cookie['httponly'], 'cookie httponly flag missing');
+        });
+    }
+
     /**
      * Test that the configuration options work.
      *