Is setting Jwt and fresh tokens as HTTP only cookies good ?
I'm building out authentication and currently send JWT and refresh tokens as HTTP only cookies and the backend validates the cookies instead of doing it through the bearer header is this an ok strategy?
