Facebook Pixel

How do I securely store JWT in a cookie?

Set httpOnly: true (no script access), secure: true (HTTPS only), sameSite: 'lax' or 'strict' (CSRF protection), and maxAge matching the JWT expiry. Clear with the same options on logout.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in How to Securely Store JWT in Cookies

Scripts cannot read the cookie. This protects against XSS-driven token theft. Without httpOnly, any script (including injected ones) can read the token and send it to an attacker.

The cookie is only sent over HTTPS. Without secure, the cookie is sent over HTTP too, and a man-in-the-middle can read it. Always use HTTPS in production.

Controls when the cookie is sent on cross-site requests. 'strict' never sends it cross-site (strongest CSRF protection). 'lax' sends it on top-level navigations (good balance). 'none' always sends it (requires secure: true; use only for third-party embeds).

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.