DEV Community

Discussion on: JWT Authentication Best Practices

Collapse
branislavlazic profile image
Branislav Lazic • Edited on

I was thinking the same. Indeed, they can. But stealing a token is still worse than making a request on behalf of a user. With a stolen token, an attacker can make requests not just for a predetermined set of API calls (the ones coded in your client app), but also, on other services that require the stolen access token. In the case if we store an access token in an httpOnly cookie, the attacker can make a request only for a limited set of API calls. Other services could remain isolated.

Collapse
kontsedal profile image
Bohdan

He can make requests to any endpoint just by using fetch and the token will be in place

Thread Thread
branislavlazic profile image
Branislav Lazic • Edited on

No it won't. That's why we have "Domain" attribute. A cookie will not be sent if our server, and malicious one, don't share the same domain: developer.mozilla.org/en-US/docs/W....