Cookies
Servers can instruct browsers to set a cookie by including a special header in the response named "Set-Cookie" the val of this header includes info like: name, value and attributes (optional)
when you make a fetch request from the browser and set credentials
to true it automatically sends all cookies stored in that domain, without needing to set any Auth (Bearer
) headers.
attributes / settings
for production JWT cookies you will prob want to use this settings:
//__prod__ is bool that is true when the NODE ENV is "production"
const cookieOpts = {
httpOnly: true,
secure: __prod__,
sameSite: 'lax',
path: "/",
domain: __prod__ ? `.${process. env. DOMAIN}` : "",
maxAge: 1000 * 60 * 60 * 24 * 365 * 10, // 10 year
} as const;
httpOnly
makes cookie not accessible by javascriptsecure
so it only works on https
more info on cookie attributes:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Creating_cookies
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
- https://owasp.org/www-community/SameSite
cookies consent
in the EU it is ilegal to not have consent banners on your site. You can code up your own solution (and probably should) or there are many service providers like:
paid:
cookiesyes (generous free tier), cookiebot, cookiescript, finsweet, cookie-solution
free offered by companies:
this ppl might be harvesting your data?
- https://www.cookieconsent.com/
- https://www.freeprivacypolicy.com/free-cookie-consent/
- https://silktide.com/consent-manager/
open source:
- oss npm packages like js-cookie
- cookieconsent
- https://github.com/brainsum/cookieconsent