Nodejs: Correct way to return non-HTML data to browser?

Question

User JWT is sent to the browser as an HTTP-only cookie. My question is, what is the best way to communicate the display name and user database ID, etc. to the browser? I know that information can and does be set in the JWT payload, but isn't it best practice to make that cookie (JWT) unavailable to client-side JavaScript? I can think of two ways - setting custom response headers, or sending the data as JSON in the element. The idea is to send it out of band, so to speak. I want to stay compliant. I think the correct answer is to set no buffering

P粉275883973 · Answer

Multiple cookies can be sent to the browser, and they can optionally be marked as HTTP Only, as shown below. Additionally, your server can send data/JSON in response to your browser XHR/Fetch requests.

let cookieArray = [];
cookieArray.push(`displayName=${displayName}`);
cookieArray.push(`id=${id}`);
cookieArray.push(`email=${email}`);
cookieArray.push(`token=${cookie}; HttpOnly`);
response.setHeader('Set-Cookie', cookieArray);

result: