
The Guide to Handling JWTs on Front End Clients (2019) - dmitryminkovsky
https://hasura.io/blog/best-practices-of-using-jwt-with-graphql
======
SahAssar
It seems to me that everytime I read guides about using JWT and if I would
fully follow what was needed to make them secure I'd also loose everything
that they say is good about them. At least macaroons offered something new
(delegation and third party caveats), and normal cookies can be protected
against CSRF and XSS pretty well these days.

I get that how much security you need is a sliding scale, but the closer you
move to "secure", the less JWT seem like an acceptable option and the closer
you move to "lax" the more macaroons seem like a more interesting option.

