CSRF-TOKEN cookie may be sent with HttpOnly = true.

When the CSRF-TOKEN cookie is added to the response header, SessionConfig.cookieHTTPOnly is used to determine whether or not the cookie should be sent with the HTTPOnly attribute. However, for CSRF-TOKEN cookie to make sense it should always be sent without HTTPOnly so that JavaScript can copy its content to the X-CSRF-Token header when accessing APIs.

In the top-most comment of PerfectSession/WebSecurity/CSRF.swift this intention is actually documented. It is just the implementation that configures the cookie in an unexpected way.