Message from JavaScript discussions

January 2018

— The cookie is sent automatically, so by itself is a huge CSRF risk. But, since it is HTTPOnly, scripts cant see it! The hashed localstorage CSRF token is only available to scripts on the domain, so as long as you prevent XSS, nothing would be able to compromise the tokens.

Message permanent page


It is vastly more complex and high risk compared to server sessions and traditional CSRF token embedding

— I am missing the link between backend and frontend

— HTTPOnly JWT Cookie for session token & CSRF token = no script can ever see or steal the JWT

Hashed CSRF token in localstorage = only local scripts from the origin can attempt to make requests, or XSS

Message permanent page

— With this method express will handle jwt tokens and reply to endpoint if the token is valid

— But

— Who is in charge to store the token?

— If you don't keep a blacklist table, then just the browser

— So the browser itself stores the token automatically and sends it everytime I call the apis?

— Yes, as a cookie

— The browser will auto-send the cookie though, which means every other website on the internet can send it too

Message permanent page

— To secure it, you need another token but not as a cookie, rather just in localstorage, which only scripts from your origin can see

Message permanent page