10. Security Checklist for Token Auth
If you choose JWT, ensure you check these boxes:
- Use HTTPS (TLS): Tokens sent over HTTP can be sniffed easily.
- Short Expiry: Access Token should expire in 15-30 minutes.
- HttpOnly Cookies: Store tokens in cookies, not LocalStorage, to prevent XSS.
- SameSite=Strict: Prevent CSRF attacks by restricting cookie transmission.
- Rotation: Issue a NEW Refresh Token whenever the old one is used. This detects theft (if an old token is reused, revoke everything).
- Blacklist: Maintain a Redis list of revoked tokens if you need immediate logout capability.
Security is not a feature; it's a process.