I am working with set header cookies. There is a requirement where my auth service is placed on www.website_one.com and my client sits on www.website_two.com.
Now, ideally, Set-Cookie will not work because it is not allowed but can we do something about this while keeping the web app secure from attacks?
I have tried the
res.cookie("XSRF-TOKEN", req.csrfToken(), { secure: true, httpOnly: false, sameSite: 'None', domain: 'mydomain.com' });But this does not work.
I am very curious as to how I can protect my applications if such use cases are to arise.Any help is appreciated, thank you!
