gergelyke.github.io icon indicating copy to clipboard operation
gergelyke.github.io copied to clipboard

Published 20 hours ago verified publisher icon gergelyke

Building Secure JavaScript Applications

Open gergelyke opened this issue 7 years ago • 8 comments

gergelyke avatar Jan 18 '18 21:01 gergelyke

Hello, Under the "# How can I protect against CSRF?" section, the last line. You had "To learn more about XSS prevention, read the CSRF Prevention Cheat Sheet: https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet.". Should be "To learn more about CSRF"?

4y0 avatar Jan 18 '18 21:01 4y0

Thanks a lot @4y0 ! fixed :)

gergelyke avatar Jan 18 '18 21:01 gergelyke

For a "Change password" type of form, is it safe to send that form data via ajax? It seems no matter what, the password can somehow be peeked at in the browser. Is this right? Or is there a safe way to transmit a new password back to the server with ajax?

pjsinco avatar Jan 19 '18 18:01 pjsinco

Hi @pjsinco ! if the password is sent via HTTPS, you should be good

gergelyke avatar Jan 19 '18 19:01 gergelyke

You recommend cookies to store JWTs, but how would that work in a SPA which is static and served on a CDN?

blocka avatar Jan 25 '18 09:01 blocka

Hi. What is your opinion on storing access token and refresh token in local storage? Relatively frequent refresh of both tokens every 10 minutes. HTTPS of course.

tnerbovik avatar Jan 29 '18 12:01 tnerbovik

100% agreed with this post on it: https://www.rdegges.com/2018/please-stop-using-local-storage/

gergelyke avatar Jan 29 '18 16:01 gergelyke

But does this article take into consideration that my OAuth2 tokens (access and refresh) are refreshed quite often (for instance every minute without any notable overhead doing that)?

tnerbovik avatar Feb 01 '18 14:02 tnerbovik