docs: expand cookie_http_only documentation with security warnings (#1894)

* feat: add llms.txt to allow LLM consumption of docs

This adds a llms.txt file to the root of the documentation repository.
This file explicitly grants permission for Large Language Models (LLMs)
to ingest and use Pomerium's public documentation.

Fixes #1862

* docs: expand cookie_http_only documentation with security warnings

Add comprehensive security warnings to the cookie_http_only documentation
to help users understand the risks of disabling HttpOnly cookies:

- Document XSS vulnerabilities when HttpOnly is disabled
- Add warnings about client-side attacks and third-party script risks
- Include security warning box with best practices
- Provide guidance for users who must disable HttpOnly

Fixes #1877

* fix: correct admonition formatting and remove llms.txt

- Fix admonition block formatting by adding required blank line after warning header
- Remove llms.txt file as requested
- Apply prettier formatting to ensure consistency

* Update content/docs/reference/cookies.mdx

* style: clean up formatting in cookie_http_only admonition

- Remove trailing whitespace
- Remove extra blank line after admonition block
- Ensure consistent formatting throughout the file

Author: desimone

content/docs/reference/cookies.mdx

@@ -162,6 +162,26 @@ cookie:
 
 If true, **Cookie HTTP Only** forbids JavaScript from accessing the cookie.
 
+While the HttpOnly flag is enabled by default for security reasons, some users may choose to disable it for specific use cases that require JavaScript access to cookies. However, disabling HttpOnly cookies significantly increases security risks:
+
+- **XSS Vulnerability**: Without the HttpOnly flag, cookies become accessible to JavaScript code, making them vulnerable to Cross-Site Scripting (XSS) attacks. Malicious scripts could steal session cookies and hijack user sessions.
+- **Client-Side Attacks**: Any compromised or malicious JavaScript running on the page can read and exfiltrate cookie values.
+- **Third-Party Script Risks**: If your application includes third-party JavaScript libraries or scripts, they would also have access to non-HttpOnly cookies.
+
+:::warning Security Warning
+
+Disabling the HttpOnly flag (`cookie_http_only: false`) is strongly discouraged and should only be done when absolutely necessary. If you must disable HttpOnly:
+
+1. Ensure your application has robust XSS protection mechanisms
+2. Regularly audit all JavaScript code, including third-party dependencies
+3. Consider implementing additional security measures like Content Security Policy (CSP)
+4. Limit the scope and lifetime of non-HttpOnly cookies
+5. Monitor for suspicious activity that could indicate cookie theft
+
+The security implications of disabling HttpOnly far outweigh most convenience benefits. Carefully evaluate whether your use case truly requires JavaScript cookie access before making this change.
+
+:::
+
 ### How to configure {#cookie-http-only-how-to-configure}
 
 <Tabs>