发表新帖
发表新帖

Store JWT token in cookie

前端 未结
关注
2 421
庸人自扰
庸人自扰 2021-02-01 09:54

This is my setup:

  • 1 authentication server which gives out JWT token on successfull authentication.
  • Multiple API resource servers which gives information (
2条回答
  • 谎友^
    谎友^ (楼主)
    2021-02-01 10:03

    You’re on the right path! The cookie should always have the HttpOnly flag, setting this flag will prevent the JavaScript environment (in the web browser) from accessing the cookie. This is the best way to prevent XSS attacks in the browser.

    You should also use the Secure flag in production, to ensure that the cookie is only sent over HTTPS.

    You also need to prevent CSRF attacks. This is typically done by setting a value in another cookie, which must be supplied on every request.

    I work at Stormpath and we’ve written a lot of information about front-end security. These two posts may be useful for understanding all the facets:

    Token Based Authentication for Single Page Apps (SPAs)

    https://stormpath.com/blog/build-secure-user-interfaces-using-jwts/

    0 讨论(0)
 看不清?
提交回复
热议问题