HTTP Only Cookies Authentication

The plugin manages authentication using HTTP-only cookies, protecting JWT tokens and providing a logout feature for users.

Install now

HTTP Only Cookies Authentication

Installation

Via npm

npm install strapi-v5-http-only-auth

Via yarn

yarn add strapi-v5-http-only-auth

Configuration

To configure the plugin, add the following code to your config file:

// config/plugins.ts

export default () => ({
  'strapi-v5-http-only-auth': {
    enabled: true,
    config: {
      // Default cookie settings
      cookieOptions: {
        secure: process.env.NODE_ENV === 'production',
        maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
        sameSite: 'lax',
        domain: process.env.CLIENT_DOMAIN,
        path: '/',
      },
      // If set to true, the JWT will be removed from the response
      // after a successful login or registration
      deleteJwtFromResponse: true,
    },
  },
});

How It Works

The plugin sets the user’s JWT token from the /api/auth/local response into an HTTP-only cookie. When processing a request to the /api path, it intercepts the HTTP-only cookie and assigns its value to the Authorization header.

This plugin also provides a logout feature. To enable it, grant permissions to the logout endpoint in:

Admin Panel → Settings → Roles → Authenticated → Users-permissions

The logout route is available at:

DELETE /api/auth/local

Successful Logout Response:

{
  "message": "You have been logged out successfully."
}

Enjoy!

Install now

npm install strapi-v5-http-only-auth

Install now

STATS

9 GitHub stars

13 weekly downloads

Last updated

344 days ago

Strapi Version

5.9.0 and above

Author

xN8Tx

Useful links

npm

GitHub

Report an issue

Create your own plugin

Check out the available plugin resources that will help you to develop your plugin or provider and get it listed on the marketplace.

Get started

Need help building a plugin?