Is there any reason to use HTTP header authorization to send JWT token instead of cookie?

Question

Is there any reason to use HTTP header authorization to send JWT token?

I was confused using authorization header and cookie.

If I use the cookie,
Server will send JWT token in cookie. (Client side will be stored in cookie).

If I use the authorization header, Server will send JWT token through header and client side will store token in local storage.

I guess both can be vulnerable to security. I’ve checked several posts, but only said that both methods are dangerous.

Please help me to understand this. Thank you.

Answer 1

From the API's point of view, it might be simpler to handle an authorization header instead of a cookie header. The latter might contain numerous cookies, you then have to parse all of them and find the required header.

On the client-side using tokens instead of cookies will work better for cross-domain requests. In some cases, third-party cookies might get dropped.

Still, as Tore pointed out, it's safer to avoid storing tokens in the browser. You can have a look at the Token Handler pattern that we've created at Curity to learn about the possibilities of using a BFF.

Answer 2

Using the authorization header is slightly safer compared to cookies, because you are less vulnerable to CSRF attacks. However, in both cases you are vulnerable to XSS attacks.

Ideally, you should not store tokens at all in the browser and instead look at using the BFF pattern as described in this video:

alert‘OAuth 2 0’; // The impact of XSS on OAuth 2 0 in SPAs