I am a bit confused about how to set up my token securely and about the dangers in CSRF attacks.
For now I have a server set up in FastAPI.
I have an endpoint where when you log in I return the following.
{
"access_token": "my_token",
"token_type": "bearer".
}
The first question is: is it a backend task to set the cookie in the session? I ask this because I have had problems for example with browsers in incognito mode. What I have done for now is to return the token directly and have the frontend do the set. What would be the correct way to save a cookie in incognito?
The second question would be: what is the difference between cookie and local storage? where should the bearer token be stored?
Another question I have about CSRF attacks, in FastAPI I have configured CORS so that only requests from my front end (react) are accepted. I have also created a middleware for fastapi that checks that the "Origin" header exists in the request and if it does not detect it, it returns error. -> Is this enough to avoid a CSRF attack?
