2022 Frontend security in 1 tweet: 1
2022 Frontend security in 1 tweet:
1. Use HTTPs
2. Server render
3. Store JWT/token in 'secure', 'samesite', 'httponly' cookie (prevent XSS).
4. Declare content security policy (prevent XSS)
5. Regen cookies when user auths (prevent session fixation)
6. Set short cookie lifetime
Why server render? So you can set an 'httponly' cookie on the server, which is safest.
Can’t server render? A compromise:
1. Store JWT/token in a 'secure', 'samesite' cookie (the latter prevents CSRF).
2. Prefix the cookie’s name with "__Host-" (prevent session fixation)
Update: Someone claimed that an httponly cookie can be safely set via an AJAX call (and thus be supported on a client rendered app).
I’ve never seen that approach recommended. Anyone have a link to a trusted source recommending that approach?