Is setting Jwt and fresh tokens as HTTP only cookies good ?
I'm building out authentication and currently send JWT and refresh tokens as HTTP only cookies and the backend validates the cookies instead of doing it through the bearer header is this an ok strategy?
1 Reply
yes, that's correct. I'm assuming you are talking about the http only header and not the http protocol here.
the http only header is not literal, it actually means that its contents cannot be accesed by javascript, so you are safe from various attack vectors. also your server will rely on this header to be present.
you should always use https for these requests/responses
again:
https protocol (http + tls) is different from http only header (request)