Discussion on: Steps to building authentication and authorization for RESTful APIs

lietux profile image
Janne "Lietu" Enberg

Using SameSite=Strict on the cookies also blocks CSRF and that kind of attacks*. If your system design is kinda poor, you can also use SameSite=Lax to get protection from most kinds of attacks.

Authentication tokens really should be stored always as HttpOnly; Secure; SameSite=Strict -cookies, unless there's some VERY good reasons to do otherwise in a limited scope.


* .. on modern browsers