Cover image for Day 29 of #100DaysOfCode: store JWT to HttpOnly Cookie instead of the localStorage

Day 29 of #100DaysOfCode: store JWT to HttpOnly Cookie instead of the localStorage

jenhsuan profile image Jen-Hsuan Hsieh ・1 min read


100DaysOfCode is a series of articles to record the process of learning programming. It just like a diary. I prefer to write small paragraph or paste a link to details so that I can write everyday.
Feel free to check the link if you want to know more details, thank you!

I develop an SPA application on Django/DWF recently. I used JSON Web Token (JWT) to authorize users for login and other operations. It’s Okay for me to create endpoints with JWT secure, exchange JWT with social medias’ access token.

However, the security issue is a critical issue for JWT. Where should we store the JWT? I tried some ways and wrote this note.


Please refer to my article for details.


It includes the following topics.

  1. The safest place: Browser’s Memory
  2. Should we store JWT in the LocalStorage?
  3. Double tokens policy: HttpOnly Cookie + CSRF token
  4. Summary


There are some of my articles. Feel free to check if you like!

Posted on by:

jenhsuan profile

Jen-Hsuan Hsieh


6+ year work experience in the software engineering field. 2+ year work experience with front-end JavaScript framework like React.js, Knockout.js. and Microsoft solution.


markdown guide