DEV Community

Discussion on: Storing tokens in single-page applications

Collapse
omaratta212 profile image
Omar Atta

With Http-only you are still vulnerable to self-XSS, any browse extension, for example, could send requests to your server as the authenticated user. How should we deal with it?

Collapse
paularah profile image
Paul Arah

Embed CRSF tokens your Auth tokens payload and also save the CSRF tokens in local storage. Then on the server, verify the CRSF token in the payload against the CRSF token retrieved from local storage. This completely isolates you from both types of attack.

Collapse
ndiuel profile image
ndiuel

You pray to your God for protection.

Collapse
bjornlindholmdk profile image
Bjørn Lindholm Author

That's a tricky one. One way could be to store the cookie in memory with a limited scope

Collapse
miladr0 profile image
Milad Ranjbar

actually ur vulnerable to CSRF, if using the cookie with HTTP-only but u can use a package csurf to solve this problem.