Keep refresh tokens in HttpOnly Secure SameSite cookies

takeaway 2 connections

Store refresh tokens in cookies with HttpOnly (inaccessible to JavaScript), Secure (HTTPS only), SameSite=Strict (sent only to your API) flags and a narrow path. Prevents XSS-driven token theft and simplifies rotation. Works for web and mobile (including Ionic) as long as CORS is set with credentials:true and the front end opts in.

type

recommendation

takeaway Keep refresh tokens in HttpOnly Secure SameSite cookies

about

Refresh Tokens in HttpOnly Cookies concept

Restates the HttpOnly-cookie pattern as a recommendation.

takeaway Keep refresh tokens in HttpOnly Secure SameSite cookies

from_talk

Devise pitfalls and way to tighten security talk

Central recommendation of the refresh-token section.

Provenance

Created in: Devise pitfalls and way to tighten security — Rafał Rothe... 2026-04-17 21:52
Read by: 2 extractions