Nice article :)
I'd just add a bit of constructive critiscism (disclaimer: opininiated content ahead)
Saying that localStorage is just unsafe is not entirely true.
You CAN quite easily prevent JS libs from accessing your jwt when stored in localstorage (see my article).
Moreover, if someone with bad intentions can run js on your website, seeing your tokens stolen will be the least of your problems...
And finally, it is very easy to forget that protecting against XSS attacks with cookies will likely make your app vulnerable to CSRF attacks.
Agreed, http-only cookies may be the way to go when you're a cybersecurity ayatollah which knows what he's doing, but if you're building humble SPAs, and you dont know much about security, storing tokens in localstorage may actually be safer: You just have to trust the libraries you depend upon, that's all (while using cookies mean actively protecting your endpoints against CSRF... meaning that you must be conscious of the existence of this technique).
I wrote about "cookies vs localstorage for tokens storage" here:
Nice article :)
I'd just add a bit of constructive critiscism (disclaimer: opininiated content ahead)
Saying that localStorage is just unsafe is not entirely true.
You CAN quite easily prevent JS libs from accessing your jwt when stored in localstorage (see my article).
Moreover, if someone with bad intentions can run js on your website, seeing your tokens stolen will be the least of your problems...
And finally, it is very easy to forget that protecting against XSS attacks with cookies will likely make your app vulnerable to CSRF attacks.
Agreed, http-only cookies may be the way to go when you're a cybersecurity ayatollah which knows what he's doing, but if you're building humble SPAs, and you dont know much about security, storing tokens in localstorage may actually be safer: You just have to trust the libraries you depend upon, that's all (while using cookies mean actively protecting your endpoints against CSRF... meaning that you must be conscious of the existence of this technique).
I wrote about "cookies vs localstorage for tokens storage" here:
localStorage vs cookies: the "tabs vs spaces" sterile debate of web development 🙄
Olivier Guimbal ・ Nov 25 '20 ・ 3 min read