Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
zacksinclair
on May 25, 2020
|
parent
|
context
|
favorite
| on:
API with NestJS #3. Authenticating users with bcry...
Why not store short lived token in a cookie as well?
poxrud
on May 25, 2020
[–]
Because then you can be vulnerable to csrf attack. For example if someone tricks you into clicking www.mysite.com/api/delete-account
anaxag0ras
on May 25, 2020
|
parent
[–]
CSRF attacks can be prevented using same-site policy with cookies.
poxrud
on May 25, 2020
|
root
|
parent
[–]
That is true but it will not protect against all forms of CSRF, for example you'll be vulnerable if you have user generated content that's not sanitized properly. On the refresh_token cookie I have sameSite and httpOnly set.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
