0

I have a REST API and a frontend project like react angular. The REST API have private videos and images besides json data. So, I was using Authorization header with bearer thing. The token created via jsonwebtoken as known as jwt. So, the browser javascript does not let me to add a header while using video tag or img tag. I cannot use Authorization header anymore. I think i have two choices

  1. I will use my token in url via queryParams, like apikey.
  2. I will use cookie, that will automatically send cookies even using video or img tag.

So, what should i do. First option is the easiest for me, i did it before. But not much secure. Https d- oest not encrypt url. A rest api should set cookie, via using set-cookie header. Is there any problem with jwt while using cookie?

feyzullahyildiz
  • 456
  • 4
  • 11

1 Answers1

1

It is only safe to put a JWT into the query parameters under these conditions.

Based on what I know, using a cookie to remind your REST API that your user is authenticated would be preferable.

But do not put sensitive information in cookies, even secure and httponly cookies. From MDN Cookies:

A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Even with Secure, sensitive information should never be stored in cookies, as they are inherently insecure and this flag can't offer real protection.

Dylan Landry
  • 1,150
  • 11
  • 27