Frontend Expert & Mentor: Combining 7+ years of software engineering with a deep passion for experience design. I craft digital interfaces that captivate and deliver seamless user experiences, thanks
With Http-only you are still vulnerable to self-XSS, any browse extension, for example, could send requests to your server as the authenticated user. How should we deal with it?
Embed CRSF tokens your Auth tokens payload and also save the CSRF tokens in local storage. Then on the server, verify the CRSF token in the payload against the CRSF token retrieved from local storage. This completely isolates you from both types of attack.
With Http-only you are still vulnerable to self-XSS, any browse extension, for example, could send requests to your server as the authenticated user. How should we deal with it?
Embed CRSF tokens your Auth tokens payload and also save the CSRF tokens in local storage. Then on the server, verify the CRSF token in the payload against the CRSF token retrieved from local storage. This completely isolates you from both types of attack.
You pray to your God for protection.
That's a tricky one. One way could be to store the cookie in memory with a limited scope
actually ur vulnerable to CSRF, if using the cookie with HTTP-only but u can use a package
csurf
to solve this problem.