Y
Hacker News
new
|
ask
|
show
|
jobs
by
poxrud
2214 days ago
Because then you can be vulnerable to csrf attack. For example if someone tricks you into clicking www.mysite.com/api/delete-account
1 comments
anaxag0ras
2214 days ago
CSRF attacks can be prevented using same-site policy with cookies.
link
poxrud
2214 days ago
That is true but it will not protect against all forms of CSRF, for example you'll be vulnerable if you have user generated content that's not sanitized properly. On the refresh_token cookie I have sameSite and httpOnly set.
link