🍪 Cookie-Based JWT Authentication

A few weeks ago, I was staring at a project thinking — “Where is the safest place for a frontend to store these tokens?” 🤔 Every tutorial said the same thing: localStorage. But something felt… off. ⚠️ So I started digging deeper 🔍 And realized — if any malicious script runs on the page, localStorage is wide open. One XSS attack… and your tokens are gone. 💀 That’s when I asked myself: 👉 What if the frontend never touches the tokens at all? 💡 That’s when I discovered Cookie-Based JWT Authentication The idea is simple but powerful: Instead of sending JWT tokens in the response body… 👉 store them inside httpOnly cookies Now the browser handles everything automatically: 🍪 Stores the token 📤 Sends it with every request 🙈 Keeps it hidden from JavaScript ⚙️ Here’s what I built: → User logs in → server generates access + refresh tokens 🔐 → Tokens go into httpOnly cookies (not the response body) 🍪 → Every request automatically includes the token 🚀 → Custom auth class reads from cookies instead o