DEV Community


Discussion on: How to securely store JWT tokens.

nklayman profile image
Noah Klayman

Would it be possible/better to split the token between localstorage and a cookie? This would prevent against CSRF and XSS token-stealing attacks at the same time. Part of the token is only accessible by the actual site because it is stored in localstorage, and part of the token in not accessible by JS at all, but could be sent from any site.

gkoniaris profile image
George Koniaris Author

Yes, it has been mentioned in other comments too. It’s a nice approach!!