Message from JavaScript discussions
January 2018
— I am missing the link between backend and frontend
HTTPOnly JWT Cookie for session token & CSRF token = no script can ever see or steal the JWT
Hashed CSRF token in localstorage = only local scripts from the origin can attempt to make requests, or XSS
— With this method express will handle jwt tokens and reply to endpoint if the token is valid
— But
— Who is in charge to store the token?
— If you don't keep a blacklist table, then just the browser
— So the browser itself stores the token automatically and sends it everytime I call the apis?
— Yes, as a cookie
— The browser will auto-send the cookie though, which means every other website on the internet can send it too
— To secure it, you need another token but not as a cookie, rather just in localstorage, which only scripts from your origin can see
— When i coded php, i used several cookies with different expiration time, so if any cookie from browser was broken, session terminated
— A simple img tag can attack your app from any website if you only use cookies