You don’t need to read the refresh cookie with JS (and shouldn’t). Instead, pair it with a separate CSRF token mechanism (double-submit cookie pattern) or rely on SameSite cookies. Django already supports this workflow out of the box.