I am using django to create a python backend and am storing the user's access token and refresh token in httponly cookies so I can authenticate requests to my backend.
1) Is this the right way to do this?
2) I know that httponly prevents seeing the cookie using 'document.cookie', but you can still see the cookie by analyzing the network tab in Chrome Dev Tools. Is this fine because only the user can see it (not other people)? Or is this still bad?
I can't answer #1 authoritatively but it sounds fine to me. For #2, httponly is there to protect the cookie from being scraped by malicious code, not to keep the user from being able to find it in the developer tools. Even if it wasn't visible in the Network tab, it would be visible under Application (or Storage in Firefox). This makes sense, because the user should always be able to see (and delete) individual cookies, regardless of how the server defined them.