Next.js Discord

Discord Forum

Is this cookie safe against xss and csrf attacs?

Answered
Giant panda posted this in #help-forum
Open in Discord
Avatar
Giant pandaOP
Hi I need to authenticate an api and I can't use next auth so I need to make my own auth system, I'm not sure if this API is secure enough

response.cookies.set('token', accessToken, { httpOnly: true, sameSite: "strict", secure: process.env.NODE_ENV === "production" ? true : false, expires: new Date(Date.now() + 60 * 60 * 24), path: "/" });

Is for an online store so i need to protect the customer account.
Answered by tafutada777
@Giant panda basically, it seems okay. you have set both httpOnly and SameSite to strict, so the cookie won't be used as a third-party cookie. if you want to add an additional layer of security, you could use a CSRF token. if the accessToken is being used as an API key, you might want it be an encrypted JWT, or store it in a db instead of a cookie, as done in Auth.js.
View full answer

2 Replies

Avatar
@Giant panda basically, it seems okay. you have set both httpOnly and SameSite to strict, so the cookie won't be used as a third-party cookie. if you want to add an additional layer of security, you could use a CSRF token. if the accessToken is being used as an API key, you might want it be an encrypted JWT, or store it in a db instead of a cookie, as done in Auth.js.
Answer
Avatar
Giant pandaOP
Very helpful, thanks!