Where to send JWT Tokens?

Question

I'm using JWT for user login/signup and I had a question about sending/receiving the token.

Currently, I'm storing the token as a property in a JSON Object starting in the server, then I send it to the front-end. After the client receives the object it stores the token as a cookie. Every POST request from the client to the server will have a token property in it's body, and the response from the server will have the token as a property also.

Is this okay, or should I be sending the token as a header in the requests/responses?

Using: React (+DOM), JavaScript, Express, Node.js

Answer 1

Hey guys coming back to this post to add some more information for those who are in the same situation I was.

When using fetch to send requests to your backend, make sure you add

credentials: 'same-origin'

to your fetch options object in order to send/receive cookies to/from the server. I used cookieParser in node backend code to send/receive cookies. Make sure to at least make them http-only and include any other security options you need or want.

Answer 2

Storing JWT token in Cookie is good enough. You don't need to send to token in the request body or return in response.

Good practice

1. Store JWT in cookie with mode http-only and is-secure: true so javascript can't see this token, and only transfer the token using https security layer.

2. Add a custom request header in every ajax request and verify this header in backend to advoid crsf attack.