New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie based auth #151

Open

ColeWalker opened this issue Oct 18, 2020 · 1 comment

Labels

difficult enhancement typescript

Owner

ColeWalker commented Oct 18, 2020

Header based auth is insecure.

iJimmyWei commented Oct 18, 2020

It looks like as of now the refresh_token and other details in the auth header payload could be susceptible to XSS and CSRF.

For more reading on the matter - https://security.stackexchange.com/questions/180357/store-auth-token-in-cookie-or-header - it would be a case of also using sameSite to avoid CSRF (was introduced after that article was written).

ColeWalker added enhancement typescript difficult labels

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment