coryhouse/reactjsconsulting

Security

coryhouse opened this issue · 0 comments

coryhouse commented

My summary in a tweet

  • Declare a strict Content security policy
  • Consider including a CSRF token on sensitive forms if there's a chance the site could have an XSS vulnerability (typically from displaying user-submitted content)
  • Prefer using a cookie over localStorage for the auth token. Cookie too big? Split it. (remember cookies are automatically sent with each request, so consider using localStorage for non-sensitive info, or using separate domains for static resources like images).

Cookie best practices

  • Set an HTTP only cookie.
  • Set the secure attribute.
  • Set samesite to strict.
  • Prefix the name with __Host so it's tied to a specific host.
  • Regenerate when a user auths (prevent session fixation)
  • Declare a specific cookie ‘path’ if possible to save bandwidth.

Cookie practices if HTTP only cookie isn't possible for some reason

Can set an httponly cookie via an AJAX call, but haven't seen this approach recommended by trusted parties for some reason. So, instead, can do below.

  • Store the auth token in a cookie, not localStorage.
  • Set the ‘secure’ and ‘samesite’ attributes (the latter protects for XSRF).
  • Prefix the cookie’s name with “__Host-“ (so only the domain can set it)