DEV Community

Discussion on: I am a Developer Advocate for Security in Mobile Apps and APIs, Ask Me Anything

exadra37 profile image
Paulo Renato Ask Me Anything

Also is SSR possible with http only cookies, because i couldn't find anything related to this, have you tried it?

Well be it server side rendered or not httpOnly cookies are not controlled by your app in the client side, instead it's the browser the one in charge of sending them back in each request to the backend, therefore you just need to check them on each request your backend receives:

From Mozilla:

Ways to mitigate attacks involving cookies:

  • Use the HttpOnly attribute to prevent access to cookie values via JavaScript.
  • Cookies that are used for sensitive information (such as indicating authentication) should have a short lifetime, with the SameSite attribute set to Strict or Lax. (See SameSite cookies, above.) In browsers that support SameSite, this has the effect of ensuring that the authentication cookie is not sent with cross-origin requests, so such a request is effectively unauthenticated to the application server.

Also remember to always encrypt the session cookies in your backend so that no one can spy on them, thus mitigating what Mozilla mentions:


Information should be stored in cookies with the understanding that all cookie values are visible to, and can be changed by, the end-user. Depending on the application, it may be desirable to use an opaque identifier which is looked-up by the server or to investigate alternative authentication/confidentiality mechanisms such as JSON Web Tokens.

So if you decide to put the JWT in a session cookie, then use JWE, aka encrypted JWT's... This is what I am doing in my Elixir/Phoenix app.

the good news is that Elixir has a paseto package and might be worth looking at it if you want a powerfull security with SSR.

No need to use Paseto with Phoenix in Elixir, just use the native encrypted tokens.

Thanks for sharing your take on this. I am also glad that someone else uses phoenix and elixir in their stack.

Professionally I code in a lot of different languages, personally only in Elixir ;)