DEV Community

Discussion on: 7 security tips for your React application. πŸ”

Collapse
 
wparad profile image
Warren Parad

Even the first suggestion can be dangerous, since cookies are not safe by default. You need to make sure to use SameSite=Strict, and not every browser current supports that flag.

Additionally, there are some problems with even doing that though, because it means you can't actually use the token to do anything valuable by interacting with other domains. For instance, let's say you want to take your access token and use it to access other services which also support OIDC JWT complaint access tokens. Your app needs to have access to them. Which means cookies won't work because they won't send them cross domain. Take Authress for example which handles user permissions. You can take the access token from the UI and send it to Authress, and where the token will be verified for authenticity before granting permissions. While you can store it in cookies, doing so without protections is both unsafe and feature limiting.

Collapse
 
vaibhavkhulbe profile image
Vaibhav Khulbe • Edited

Hi Warren, thanks for the insight! I just started with security, hence don't know much in detail. I just shared what I learned (till now). I've added your comment in the article so that others can check.