Explore the essentials of Cross-Origin Resource Sharing (CORS), JWT tokens, and secure cookie practices in token-based authentication. This quiz deepens understanding of how cross-origin security measures interact with JSON Web Tokens and cookie handling to protect web applications.
When a browser sends a CORS preflight OPTIONS request before accessing a protected API that uses JWT for authentication, what should the server do to ensure the client application can proceed?
Explanation: During a CORS preflight (OPTIONS) request, browsers expect only CORS headers to determine if the actual request is allowed. The correct action is to respond with the required CORS headers and avoid authentication checks, as no sensitive data is transferred at this stage. Blocking the preflight based on JWT or injecting tokens on the server side would prevent legitimate cross-origin traffic. Returning the resource outright without checking the method would break HTTP protocol rules.
What is the most important attribute to set on a cookie that stores a JWT to prevent cross-site scripting (XSS) attacks from accessing its value?
Explanation: Setting the HttpOnly attribute on a JWT cookie ensures it cannot be accessed via JavaScript, protecting it from theft through XSS attacks. SameSite is primarily used to mitigate CSRF, not JS access. Expires and Path help with cookie lifespan and scope but do not affect JS accessibility. Only HttpOnly effectively blocks client-side scripts from reading sensitive cookie data.
If a frontend application on domain A wants to send and receive cookies containing JWT to an API on domain B, which CORS response header must the API include?
Explanation: Access-Control-Allow-Credentials: true is required in the CORS response for browsers to send and receive cookies cross-origin. Allow-Origin-Credentials: true and Access-Control-Allow-Cookies: yes are not actual CORS headers, and Access-Control-Allow-Headers controls which headers can be sent, not cookie handling. Without Allow-Credentials, credentials like cookies will not accompany cross-origin requests.
What is the main security risk of storing JWT access tokens in localStorage during cross-origin authentication scenarios?
Explanation: The main concern with storing JWTs in localStorage is their exposure to malicious JavaScript from XSS attacks, which can compromise users' tokens. LocalStorage does not sync tokens across domains, so that is incorrect. Tokens are not sent with each HTTP request; they must be manually added, which is an inconvenience but not a direct security risk. Caching after logout is possible, but the risk of JS access is far more severe.
How does setting a cookie's SameSite attribute to 'Strict' affect cross-origin requests using JWT authentication?
Explanation: SameSite=Strict instructs browsers not to include the cookie in any cross-origin requests, which prevents automatic JWT cookie transmission from third-party sites. Only the Secure attribute mandates HTTPS, not SameSite. The browser simply withholds the cookie; it does not block responses or bypass JavaScript accessibility rules by itself. For JavaScript access, the HttpOnly flag is more relevant.