aaronpk
commented
7 months ago emphasis mine:
Additionally, the BFF SHOULD encrypt its cookie contents, to ensure that tokens stored in cookies are never written to disk in plaintext format. This security measure helps to ensure protection of the access token against malware...
I believe this is meant to be an additional layer of security when the cookie actually contains the access token. While someone who steals the cookie can use the cookie regardless of whether the contents are encrypted, they can only use it at the BFF, whereas the access token itself might be able to be used elsewhere. I will add some text to clarify this.
I was unable to find an explanation for the following point: Additionally, the BFF SHOULD encrypt its cookie contents, to ensure that tokens stored in cookies are never written to disk in plaintext format. This security measure helps to ensure protection of the access token against malware that actively scans the user's hard drive to extract sensitive browser artifacts, such as cookies and locally stored data (see Section 8).
What is the advantage of encrypting cookies? If a malicious actor steals the cookie as plain text, couldn't they just send the entire cookie in a request?