'Are there any security risks with using cookies for server side rendering and JWT for API requests?
In my planned auth model I will be
storing a JWT in localstorage. This will be used for API requests and it will be passed in the authorization header as a bearer token.
Storing the token in a cookie as well.
Using JWT auth for the API is useful because there will be mobile clients that will access these APIs as well and bearer tokens are simple to use on those platforms.
The cookie will only be used for get requests. This way NextJS can render and hydrate the app on the server before it reaches the client. That way if they are signed in they will see the logged in experience rather than seeing the unauthed landing page and flashing into the authed experience.
My question is, are there any major red flags you see with this security model? The only one I can think of is that my app is vulnerable to XSS.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|