First of all, "storing" JWTs on a server-side session misses the point of what a JWT is and what a server-side session is. Think of a JWT as a stateless session key. You don't store session keys to lookup on a server.
Additionally, if any of those compromised JavaScript libraries runs malicious code, they can send requests to your server using the session cookie you marked as httpOnly.
Perhaps even more importantly, since a browser simply cannot set an httpOnly cookie at all, this advice presumes that there's never a PWA that does a credential exchange using an API call. You simply can't design a web app to modern standards and rely on your auth server setting cookie functionality, especially if you hope to target multiple platforms.
Storing a JWT in LocalStorage is mostly fine. What isn't fine is linking to offsite CDN's without subresource integrity. It isn't fine just slapping random bits of JavaScript code from random vendors all over your app. If you're doing that, you have a gaping security problem and no amount of httpOnly caution will change that.
LocalStorage is fine for secure data. Having an insecure app is not. Your rant is misguided.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
This information is debatable.
First of all, "storing" JWTs on a server-side session misses the point of what a JWT is and what a server-side session is. Think of a JWT as a stateless session key. You don't store session keys to lookup on a server.
Additionally, if any of those compromised JavaScript libraries runs malicious code, they can send requests to your server using the session cookie you marked as httpOnly.
Perhaps even more importantly, since a browser simply cannot set an httpOnly cookie at all, this advice presumes that there's never a PWA that does a credential exchange using an API call. You simply can't design a web app to modern standards and rely on your auth server setting cookie functionality, especially if you hope to target multiple platforms.
Storing a JWT in LocalStorage is mostly fine. What isn't fine is linking to offsite CDN's without subresource integrity. It isn't fine just slapping random bits of JavaScript code from random vendors all over your app. If you're doing that, you have a gaping security problem and no amount of httpOnly caution will change that.
LocalStorage is fine for secure data. Having an insecure app is not. Your rant is misguided.