In this video (part of the Angular Secuirty course angular-university.io/course/angular-security-course), we will learn how to build a JWT-based User Session, and how to send it back to the client. In this particular case we are running the Authentication server and the application server on the same domain, so we will be using a secure and HTTP Only cookie to store the JWT. Later in this course we will learn how to add XSRF defenses to the application, to prevent request forgery attacks.

Hi, I have followed this guide in my development environment, but this failed during production as I had to switch the proxy mechanism to a CORS one. Do you have a working implementation of this using CORS?

How does protection against CSRF work if you keep JWT in cookies? If the attacker's website has HTTPS, will it automatically send a cookie from JWT and the server will successfully authenticate the request from the attacker's site?