Security
coryhouse opened this issue · 0 comments
coryhouse commented
- Declare a strict Content security policy
- Consider including a CSRF token on sensitive forms if there's a chance the site could have an XSS vulnerability (typically from displaying user-submitted content)
- Prefer using a cookie over localStorage for the auth token. Cookie too big? Split it. (remember cookies are automatically sent with each request, so consider using localStorage for non-sensitive info, or using separate domains for static resources like images).
Cookie best practices
- Set an HTTP only cookie.
- Set the
secure
attribute. - Set
samesite
to strict. - Prefix the name with
__Host
so it's tied to a specific host. - Regenerate when a user auths (prevent session fixation)
- Declare a specific cookie ‘path’ if possible to save bandwidth.
Cookie practices if HTTP only cookie isn't possible for some reason
Can set an httponly
cookie via an AJAX call, but haven't seen this approach recommended by trusted parties for some reason. So, instead, can do below.
- Store the auth token in a cookie, not localStorage.
- Set the ‘secure’ and ‘samesite’ attributes (the latter protects for XSRF).
- Prefix the cookie’s name with “__Host-“ (so only the domain can set it)