DEV Community

Discussion on: The Ultimate Guide to handling JWTs on frontend clients (GraphQL)

vladimirnovick profile image
Vladimir Novick Author

I am not saying you are not 100% vulnerable, but you are way less vulnerable than in other solutions and without having a centralized token database.

As for cookie automatically applied when sent to malicious script, your cookie is http-only so it will be sent automatically only to the same domain thus reducing the risk of getting stolen. Also, it cannot be accessed through JS.