First time posting here, so please let me know if this isn't the place to ask questions like this.I have a SPA (Vue) that talks with an API (express) and only need to authorize the user on POST requests (no need for a session).I was thinking of going with JWT but I heard a lot of people saying how storing in localStorage makes you susceptible to XSS and how you should store it in a httponly secure cookie, but then now you need to deal with CSRF, not to mention I have to handle all of the refresh token nonsense and it's just exploding in complexity!!So I thought 'maybe I'll go with good ol' cookie sessions instead', but I'm using an API, and literally everybody and their mother only uses csurf for rendering in a view and there's NO resource (I've wasted way too much time on this) about how to do csrf protection when you have a headless API...So now I'm stuck (and frustrated). What should I do for my use case?
Submitted December 02, 2018 at 12:01PM by thepotatochronicles
No comments:
Post a Comment