- find a vector which is perpendicular to the vector (-2,5,4) and (1,3,2)
- show that the recursive sequence converges to $\sqrt r$
- Big O Notation - Show that polynomial is $O(x^2)$ Proof Question
- Derivative problem: No $x$ in equation and cubed roots
- How to formalize “Division by zero” in a proof about groups?
- Markov Chain: Finding average rate of service and fraction of customers serviced
- Example of a (transient, countable state) Markov Chain with no invariant measure?
- A connectedness question
- Inverse Fourier Transformation of $1- \frac {s^2}{(1+s^2)^2}$
- Why using Levi-Civita field?
- Finding $P(3≤X≤4\mid Y=2)$
- Is this function subaddtive
- How do I solve numerically the differential equation of the form : $(z''/[1+(z')^2]^{3/2})+(0.1928529/x)=2+(50.99203)*z$?
- Does the radius of convergence for a power series change when you multiply it by a constant?
- How to prove the upper and lower bound of $ |\lambda_i(A)| $ for non-symmetry matrices?
- maximum distance between n points on unit circle
- How to find the inverse of the function
- Find $\frac{dy}{dx}$ when $y=-1$ of the differential equation $(xy^3 +x^2y^7)\frac{dy}{dx} =1$
- Integrating $\int_{a}^{\infty} \frac{x^4e^x}{(e^x-1)^2}dx$ for large values of $a$
- A turing machine which computes the same language as a “stay put” turing machine

# Store Auth-Token in Cookie or Header?

I do understand that a header is the "cleaner" solution to transport an auth-token from a trusted system to another in a REST call.

But when you are in client-side javaScript code, the world looks different to me.

Cookies can be marked as "http-only" and thus can't be easily stolen by javaScript.

A header even has to be set by javaScript, thus the auth token has to be accessible from within javaScript. But yet, people use auth-header to submit their auth-token from an untrusted client javaScript to the server.

What has changed from the good old "use cookies with http-only and secure flag" to "let the javaScript handle the auth token"?

Or should the right way be that "on the client side, use cookies and as soon as you enter the trusted world, switch to auth-header"?

PS: I know that there are many answers to similar questions, but I think my questions is from a different point of view "what has changed, is different".