Is this cookie safe against xss and csrf attacs?
Answered
Giant panda posted this in #help-forum
Giant pandaOP
Hi I need to authenticate an api and I can't use next auth so I need to make my own auth system, I'm not sure if this API is secure enough
Is for an online store so i need to protect the customer account.
response.cookies.set('token', accessToken, {
httpOnly: true,
sameSite: "strict",
secure: process.env.NODE_ENV === "production" ? true : false,
expires: new Date(Date.now() + 60 * 60 * 24),
path: "/"
}); Is for an online store so i need to protect the customer account.
Answered by tafutada777
@Giant panda basically, it seems okay. you have set both httpOnly and SameSite to strict, so the cookie won't be used as a third-party cookie. if you want to add an additional layer of security, you could use a CSRF token. if the accessToken is being used as an API key, you might want it be an encrypted JWT, or store it in a db instead of a cookie, as done in Auth.js.
2 Replies
@Giant panda basically, it seems okay. you have set both httpOnly and SameSite to strict, so the cookie won't be used as a third-party cookie. if you want to add an additional layer of security, you could use a CSRF token. if the accessToken is being used as an API key, you might want it be an encrypted JWT, or store it in a db instead of a cookie, as done in Auth.js.
Answer
Giant pandaOP
Very helpful, thanks!