Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CookieStorage with httpOnly
See original GitHub issue** Which Category is your question related to? ** Auth
** What AWS Services are you utilizing? ** Cognito
** Provide additional details e.g. code snippets ** I’m using Amplify with my React app and would like to secure my API using JWTs (not using AWS API Gateway).
Is it possible to use Amplify Auth with CookieStorage and httpOnly? I’d like to prevent XSS with the httpOnly flag but looking at the interface for ICookieStorageData it looks like this isn’t supported. Is it even possible to add support for this?
Alternatively what’s the recommended authentication configuration/flow from a security perspective? I’ve seen the doc mention things like localStorage but from my understanding it’s not secure from a XSS perspective.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:42
- Comments:27 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I would just like to say that this issue is one of the biggest reasons my company is considering the removal of Cognito from our stack (and not being able to set session expiration for less than a day). If there’s anything I can do to elevate the priority of this issue, let me know because I’d love to avoid the pain of migrating away.
Im very surprised this is the only issue in this repo I’m finding regarding the security of a web app using Amplify.
LocalStorage (which seems to be currently used) is definitely not secure from XSS attacks.