Many blogs, websites, or other online resources say that the best way to store JWT is on app memory for the access token and cookies for the refresh token. The access token will be sent through the authorization header when needed. We do this because storing the token on cookies are vulnerable from CSRF attack.
But almost all of them are articles from 2018 or 2019 when SameSite cookies not applicable widely on all major browsers yet. Consider that today major browsers already implement SameSite cookies, does it safe to store access tokens on cookies with httpOnly, SameSite = strict, Secure, and have a short-term expiry date?
Aucun commentaire:
Enregistrer un commentaire