How to secure a refresh token in a JWT system when it's sent as an httpOnly cookie

In my React + Django project, I’m currently sending the refresh token as an HttpOnly cookie. The problem with HttpOnly cookies is that they are automatically sent by the browser, which makes them vulnerable to CSRF attacks. To address this, I decided to add a CSRF token for the refresh request. However, the issue I’m facing is that I’m unable to read the CSRF token using JavaScript. I think this is because my frontend and backend are on different domains. When I searched online, I found that cross-site cookies can’t be read by JavaScript. If that’s true, what are the possible ways to protect the refresh token request?

Вернуться на верх

Последние вопросы и ответы

custom filter for filter_horizontal admin in django

CheckConstraint in Django model not triggering in unittest.TestCase (AssertionError: IntegrityError not raised)

Issue with connecting Mongodb Atlas with Django using Mongoengine

OSError: [WinError 10106] Не удается загрузить или инициализировать нужного поставщика услуг

How to make Django more secure?

Best way to use docker with Django. Containerize ?, or all in a container? [closed]

How can I securely encrypt spatial fields (GeoDjango / PostGIS) in Django?

framework django

Pytest-django database not rolled back with pytest-asyncio

How to secure a refresh token in a JWT system when it's sent as an httpOnly cookie

Последние вопросы и ответы

Рекомендуемые записи по теме