Cookie policy
Last updated .
Kuhe uses only the cookies it needs to keep you signed in and your account safe. No analytics cookies. No advertising cookies. No third-party scripts that set cookies on our behalf. The banner on the bottom of the page is informational — there is nothing to opt out of because nothing optional is set.
If you sign in on a fresh browser, you'll receive the two cookies below. If you don't sign in, none are set at all (we don't track anonymous visits with cookies — pageview counts are tied to your IP only on the server side, and that table is purged on a rolling window).
What we set
kuhe_session7 days from issue (resets each session refresh)Keeps you signed in after login. HttpOnly + Secure + SameSite=Lax, so JavaScript on the page never reads it and the browser refuses to send it cross-site.
Set by kuhe.me (first-party).
kuhe_csrf7 days from issueProtects sensitive POST / PATCH / DELETE requests against cross-site request forgery. The page reads it and echoes it back in the X-CSRF-Token header; the backend rejects any mutation where the cookie and the header disagree.
Set by kuhe.me (first-party).
Retention and rotation
Both cookies expire after 7 days of inactivity. Logging out immediately invalidates the session token on the server side and clears both cookies in your browser. Rotating the JWT secret on the server (during an incident response, for example) invalidates every existing session cookie within seconds without any action on your part.
Disabling cookies
You can block or delete these cookies through your browser settings, but the site won't be usable while signed in — every sensitive request will be rejected because the CSRF check can't be satisfied, and you'll be signed out as soon as the session cookie is removed. There's no third-party tracker version of the site that works without cookies; this is the only version.
Questions
Email support@kuhe.me if anything here is unclear or if you spot a mismatch between this page and what your browser is actually receiving.