Popular posts

Depends on your users/market needs, but as bullet points:

• Prefers headless architecture (trust me, give you a favor for the future)
• JWT (yep), but PASETO is an option if you want to have a confidential payload encrypted.
• Remember to create access and refresh tokens with short TTLs.
• Never store the JWT or similar in the db. First, verify the signature/expiration; then, if needed, compare it with the jti (ID) in your table/collection to extract user data (or the token payload)
• Never set confidential info (email, name, etc) in the JWT payload, but userId, orgId, etc. is fine
• Caution with the algorithm, sign the JWT with an explicit option
• In frontend, prefer cookies httpOnly, but localStorage 🤷🏻‍♂️ : XSS, supply chain attack or 3rd party scripts
• Handle access token expiration with 401, set interceptors in the frontend to fetch /renew and get a new token
• In authentication, implement captcha. Otherwise, protect it against brute-force attacks with an incremental delay that ends with a temporal block per IP.
• Wildcard suggestion: Put Cloudflare in front of your app and configure WAF rules.