Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You can also store a JWT in localStorage and require an additional secure signature for it within a cookie (http-only). Best of both worlds.


If doing that, why not go full-mode and store JWT in cookie with http-only flag?


There are good uses for page content to know what's in the JWT (display username, show logged-in status, etc). Cookies also have stricter size limits. Additionally, cookies by themselves are uniquely vulnerable to CSRF, although I guess these days using SameSite property correctly mitigates that.


You can prevent CSRF attacks by simply requiring a custom HTTP header: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Re...




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: