0

I read a comment on here that goes something like "trying to hide user authentication from an XSS attack is like reinforcing your fridge against a nuclear bomb; at that point, you've got much bigger problems to worry about, and nothing you reinforce your fridge with will be effective anyway".

Is this accurate?

Roy He
  • 1
  • Where was this quote from? Context can be important – schroeder Oct 08 '20 at 16:36
  • I think it was a dude asking whether cookies were more secure than localstorage. Some folks said cookies were safer, some said that neither were safe against a smart hacker once a XSS attack had begun. – Roy He Oct 08 '20 at 16:40
  • I mean: what is the link to this comment? – schroeder Oct 08 '20 at 17:03
  • I would think from the perspective of defense-in-depth it would be worthwhile if the resource cost (complexity, development effort, testing, performance, size) isn't overwhelming. But the effort may be better spent elsewhere such as mitigating XSS in the first place. – Tyler Szabo Oct 08 '20 at 20:15
  • See also [Does setting httponly prevent stealing a session using XSS?](https://security.stackexchange.com/questions/43529/does-setting-httponly-prevent-stealing-a-session-using-xss) – Sjoerd Oct 09 '20 at 13:25
  • See also [Why are cookies considered more secure against XSS?](https://security.stackexchange.com/questions/116898/why-are-cookies-considered-more-secure-against-xss) – Sjoerd Oct 09 '20 at 13:26

0 Answers0