Storing them in local storage makes them indeed vulnerable to XSS attacks. If you think about old fashion way of XSS when an attacker submits a malicious JS code through some field... naha... we’re past those days. Every modern JS project is using a ton of 3rd party dependencies. And there’s your source of XSS attacks. Yes, you can store both access (I really don’t know why people constantly call them JWT, since JWT is just a format) tokens and refresh tokens in database, but what’s the advantage over session based auth?
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Storing them in local storage makes them indeed vulnerable to XSS attacks. If you think about old fashion way of XSS when an attacker submits a malicious JS code through some field... naha... we’re past those days. Every modern JS project is using a ton of 3rd party dependencies. And there’s your source of XSS attacks. Yes, you can store both access (I really don’t know why people constantly call them JWT, since JWT is just a format) tokens and refresh tokens in database, but what’s the advantage over session based auth?