Y
Hacker News
new
|
ask
|
show
|
jobs
by
poxrud
2214 days ago
That is true but it will not protect against all forms of CSRF, for example you'll be vulnerable if you have user generated content that's not sanitized properly. On the refresh_token cookie I have sameSite and httpOnly set.