Is it any less secure to return a csrf-token via res.json(), than returning via res.cookie()?
My project configuration is set as follows:
Domains:
front-end: "https://front.domainA.com" // AWS Amplify, React
back-end: "https://back.domainB.com" // AWS Amplify, Express.js
Further details
Please note that I've tested sharing cookies across localhost ports (front-end: 3000, back-end :5000) with no problems.
That said, now that my app is on real-world domains, it's no longer allowing to read cookies from generated from another domain. I've created a separate post in regards to that question. You can read it here. Please reply in that thread if you have answers to that question.
Because of this, I am looking at returning my CSRF-Token in the response body, as so:
static async csrfToken(req, res, next) {
console.log("catching waves...");
return res.status(200).json({ "csrf-token": req.csrfToken() });
}
Instead of a cookie in the response header, like so:
static async csrfToken(req, res, next) {
console.log("catching waves...");
res.cookie("csrf-token", req.csrfToken(), {
secure: true,
sameSite: "none",
});
return res.status(200).json({ message: "We be surfing!" });
}
So back to my original question.
Is it less secure to return a CSRF-Token in a response body? And is there any downside for doing that as opposed to returning in a cookie?
Thanks in advance for your answers.
