Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Security

Flask/Vue app and CSRF/XSS protection

I have this Flask app that is serving as an API endpoint to a Vue.js app. They are ran separately, each with their own port #'s. My current authentication flow is like this: Vue form sends JSON with username/pass to Flask. Flask checks username and password and responds with a JSON Web Token. Vue grabs the response and sets it as a cookie manually. Vue then extracts the cookie and sets it as an Authorization header through JavaScript for the endpoints that need authentication. This is working quite nicely.

My question is, is this vulnerable to CSRF attacks? I was reading contrasting articles that says it is and others say that cookies are bad etc etc. Opinions as well? If you want to see the code let me know.

My logic I'm following is this: CSRF attacks rely on the browser to automatically add cookies as a header, whereas I'm overriding the default behavior and assigning the cookie's value as an Authorization: Bearer Token. Also XSS attacks are less likely since the token is not in local storage.