iJimmyWei
commented
4 years ago It looks like as of now the refresh_token and other details in the auth header payload could be susceptible to XSS and CSRF.
For more reading on the matter - https://security.stackexchange.com/questions/180357/store-auth-token-in-cookie-or-header - it would be a case of also using sameSite to avoid CSRF (was introduced after that article was written).
Header based auth is insecure.