Servers can instruct browsers to set a cookie by including a special header in the response named "Set-Cookie" the val of this header includes info like: name, value and attributes (optional)

when you make a fetch request from the browser and set credentials to true it automatically sends all cookies stored in that domain, without needing to set any Auth (Bearer ) headers.

attributes / settings

for production JWT cookies you will prob want to use this settings:

//__prod__ is bool that is true when the NODE ENV is "production"
const cookieOpts = {
  httpOnly: true,
  secure: __prod__,
  sameSite: 'lax',
  path: "/",
  domain: __prod__ ? `.${process. env. DOMAIN}` : "",
  maxAge: 1000 * 60 * 60 * 24 * 365 * 10, // 10 year
} as const;

• httpOnly makes cookie not accessible by javascript
• secure so it only works on https

more info on cookie attributes:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Creating_cookies
• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
• https://owasp.org/www-community/SameSite

cookies consent

in the EU it is ilegal to not have consent banners on your site. You can code up your own solution (and probably should) or there are many service providers like:

paid:
cookiesyes (generous free tier), cookiebot, cookiescript, finsweet, cookie-solution

free offered by companies:
this ppl might be harvesting your data?

• https://www.cookieconsent.com/
• https://www.freeprivacypolicy.com/free-cookie-consent/
• https://silktide.com/consent-manager/

open source:

• oss npm packages like js-cookie
• cookieconsent
• https://github.com/brainsum/cookieconsent