I have an Angularjs 1.6 application.
I'm using JWT (Json Web Token) authentication. What that means is that on login, I send the credential to the server, server replies with a JWT Token that the front end will send in any other request to prove the user is identified.
The server will check that the token is valid before sending any data.
During a security Audit, an external company did Penetration testing in our website and came back saying:
The “AuthSession” cookie is not flagged as Secure
I'm trying to understand what I have to do to make it "secure".
I'm storing the token in the localStorage using ngStorage, so the only line of code I have to store the Token is:
$localStorage['TOKEN'] = iToken;
I don't think I understand correctly what "cookie is not flagged as Secure" means.
Looking at various websites, it seems (with cookies, I'm not sure if that's the same for localStorage) that to mark a cookie as secure, you just need to add ";secure" at the end of the value you want to store.
So my question is: How do I make storing the Token "secure" with ngStorage? Do I just have to append ";secure" at the end of the Token and strip it when I retrieve the token ?