Skip to content

re: Please Stop Using Local Storage VIEW POST


You're advocating for cookie-based authentication using sessions (an increasingly dated practice), but do not mention anywhere adding real csrf protection:

From OWASP regarding your SameSite=strict suggestion
Considering the factors above, it is not recommended to be used as a primary defense. Google agrees with this stance and strongly encourages developers to deploy server-side defenses such as tokens to mitigate CSRF more fully.

code of conduct - report abuse