Store Auth-Token in Cookie or Header?

2018-02-23 08:07:19

I do understand that a header is the "cleaner" solution to transport an auth-token from a trusted system to another in a REST call.

But when you are in client-side javaScript code, the world looks different to me.

Cookies can be marked as "http-only" and thus can't be easily stolen by javaScript.

A header even has to be set by javaScript, thus the auth token has to be accessible from within javaScript. But yet, people use auth-header to submit their auth-token from an untrusted client javaScript to the server.

What has changed from the good old "use cookies with http-only and secure flag" to "let the javaScript handle the auth token"?

Or should the right way be that "on the client side, use cookies and as soon as you enter the trusted world, switch to auth-header"?

PS: I know that there are many answers to similar questions, but I think my questions is from a different point of view "what has changed, is different".