Does Storing JWT's In HTTP Only Cookies Stop XSS Attacks

HTTP only cookies protect you from XSS, but what you’re talking about is CSRF (Cross Site Request Forgery). CSRF is the instance of them taking the token. In summary, no http only cookies don’t secure the application, but it adds layers which is what you’re suppose to do to make it harder for malicious users!!

Also, great stream!

TheSocialDeveloper

Bens hair is like every engineer in my department including mine lol

madvillany

I'm currently learning cookie and header, and have almost grasp the idea. I'm just glad to hear the topic shared to the world, it's just feels great to listen as a beginner or probably even the experts I believed in web development.

imgrey

I am exactly like Ben, I flip flop between the storages a lot, but I always wonder why is there no absolute secure way of doing authentication

alibarznji

This is reassuring. Honestly implementing auth has gotten me to the point where if I need it again I will just use some auth service.

lukewestondev

Ben Awad moving constantly reminds me of Kurt Cobain singing Plateau in Unplugged in New York concert

duderocks

While it is true, that an xss attacker has access to make api calls on the victims behalf regardless of auth with http-only session-cookies or token based auth, the scope, duration and context of the attack is always confined to the clients session when using auth with cookies, while the theft of auth-tokens and refesh-tokens, can result in unlimited access for the attacker, unbeknownst to the victim.

tombalabomba

but httponly still sounds cooler than local storage so why not?

mursalrabb

If you cannot get the access token from an http only cookie, you cannot get the Resource Server to authorize your request, but you can send the http only cookie, which is in a way equivalent to provideing your refresh token, if it is stoed in it.
I don't think you can access the memory space of an executing script, though - only the space of your malicious script, if you are a hacker. So, I think this leaves only the storing a JWT refresh or access token in memory as the only secure option.

georgesmith

lol that explains in more detail why dogehouse stores jwt in local.

Merserissugoi

wouldn't a cors policy prevent requests for unknown endpoints

hakuna_matata_hakuna

Two fav people in one video. What else you need?

arfan

If you store your access tokens in http only cookies then are you even able to send them In the bearer header to you backend APIs ?? That's what I thought the issue was and why ppl opt for local storage or non http only cookies ?

daviddoyle

Just seeing Ben, hitting the like button was automated.

imiebaka

You have to be logged into the app too right? Also why not set really short refresh token time

rahul

Worth to watch!! Grabbed some points ✌️✌️

adityanr

No Ben, it is NOT what is easiest for the developer. It is about what is the most secure way to do it. And it seems there are only two options: in memory as part of the script's state (most secure) and as an HTTP Only cookie (with the browser blocking JavaScript from reading the contents of the cookie). But something tells me that if it is a cookie, albeit HTTP only, it is still stored somewhere on disk and therefore is susceptible to other types of attacks that can retrieve and arbitrary file.

georgesmith

☺️ it's like you read my mind, it's just the video I was looking for, guaranteed ♥️

shindradavid

awesome. Please make a video on this topic Dennis. It will be very useful.

rangabharath

Bros doing anything to defent local storage

achirasilva