Servers can instruct browsers to set a cookie by including a special header in the response named "Set-Cookie" the val of this header includes info like: name, value and attributes (optional)

when you make a fetch request from the browser and set credentials to true it automatically sends all cookies stored in that domain, without needing to set any Auth (Bearer ) headers.

attributes / settings

for production JWT cookies you will prob want to use this settings:

//__prod__ is bool that is true when the NODE ENV is "production"
const cookieOpts = {
  httpOnly: true,
  secure: __prod__,
  sameSite: 'lax',
  path: "/",
  domain: __prod__ ? `.${process. env. DOMAIN}` : "",
  maxAge: 1000 * 60 * 60 * 24 * 365 * 10, // 10 year
} as const;

• httpOnly makes cookie not accessible by javascript
• secure so it only works on https

more info on cookie attributes:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Creating_cookies
  • https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
  • https://owasp.org/www-community/SameSite