DEV Community

Discussion on: How I Fixed JWT Security Flaws in 3 Steps

byrro profile image
Renato Byrro Author

Hey, Ryan! Thank you for the kind words, I'm glad to have added some value!

That's the HTTP standard to set the cookie on the response request. It's likely that your backend has a wrapper for this - as in nodejs. This way we don't have to worry about HTTP standards, use a more friendly API instead.

Some suggest sending the JWT in the Authorization header:

Authorization: Bearer <token>

This helps to prevent CSRF attacks but is exposed to frontend JS. Using the SameSite in your cookie will help against CSRF anyway.

In case you're worried, use both. You can have your main JWT set as a cookie, and a second JWT set in the Authorization header (may even use a different secret). The second one doesn't even have to contain the same info, perhaps only the user ID.

Then your backend can decode and validate both on each request. Doesn't add too much overhead and comes with an extra security layer. 😉

ryansmith profile image
Ryan Smith

That makes sense, thank you!