Cookies!
Security
Because cookies can be used to hold sensitive data, such as JWT, it is best to protect them.
- httpOnly
- secure
- maxAge
In production you should only be able to access authorization cookies via HTTP/S, so that client side JavaScript can not steal them (XSS attack). Setting your authorization cookie to `httpOnly: true` only allow that cookie to be accessed through HTTP/S.
Also, it should only be sent over a secure connection, so HTTP is out. If the connection is not secure, anyone can intercept the cookie. If the cookie contains a JWT for authorization, the attack could allow them to access your account without knowing the user name or password. `secure: true` will not let the cookie be sent unless it is over an HTTPS connection.
Another security measure is having your cookies expire. A cookie valid for 1 month allows attackers plenty of time. 15 minutes, and the attack would have to work and the cookie used very fast before it expired. maxAge, set in milliseconds. `maxAge; 1000 * 60 * 60 * 4`