DEV Community

Cover image for Is It Over for `localStorage`? Was It Ever That Good?
Werliton Silva
Werliton Silva

Posted on

Is It Over for `localStorage`? Was It Ever That Good?

#webdev #programming #beginners #javascript

Hey Dev,

If you're just starting out in web development, chances are you've used (or seen someone use) localStorage to store a JWT token after login. It's easy, quick, and right there in the browser. But... is it actually safe?

Spoiler: not really.

In this post, we’ll explore why localStorage can be a security trap and how you can better protect your application’s data.

🚨 The Problem with localStorage

scripts

Think of localStorage as an open drawer in your browser. Any JavaScript running on your page can open that drawer and grab whatever it wants. That includes malicious scripts injected through attacks like XSS (Cross-Site Scripting).

If an attacker manages to run JavaScript on your site, they can easily read your token and send it to a remote server. No fancy hacking needed.

🔐 How to Protect Your App

If you're working with JWTs (and many apps do), here are some best practices to avoid common pitfalls:

1. Always Use HTTPS

https

HTTPS ensures that the data exchanged between the browser and your server is encrypted. While it doesn’t prevent XSS, it does protect against man-in-the-middle attacks and eavesdropping.

2. Set Token Expiration

jwt

JWTs can include an expiration time (exp claim). This limits the window of opportunity for an attacker to use a stolen token.

Even if a token is compromised, it will only be valid for a short period—reducing the potential damage.

3. Validate Tokens on the Server

Never trust data coming from the client blindly. Always validate the token on the server side:

  • Check the signature
  • Verify the expiration
  • Confirm the token hasn’t been tampered with This ensures that only valid, untampered tokens are accepted.

4. Consider Secure Cookies Instead

cookies

For applications that require higher security, storing tokens in secure, HTTP-only cookies is a much safer alternative.

Why Cookies?

  • HttpOnly: Prevents JavaScript from accessing the cookie, protecting it from XSS attacks.
  • Secure: Ensures the cookie is only sent over HTTPS.
  • SameSite: Helps mitigate CSRF (Cross-Site Request Forgery) attacks.

Example: Setting a Secure Cookie

On the server (e.g., using Express.js), you can set a cookie like this:

res.cookie('token', jwtToken, {
  httpOnly: true,
  secure: true,
  sameSite: 'Strict',
  maxAge: 3600000 // 1 hour
});
Enter fullscreen mode Exit fullscreen mode

This cookie will be automatically sent with every request to your server, and it won’t be accessible via document.cookie or any client-side script.

Bonus: Automatic Handling

Since cookies are sent automatically with each request, you don’t need to manually attach the token to every API call. This simplifies your frontend logic and reduces the risk of leaking tokens.

Final Thoughts

localStoragemight seem like a convenient solution, but when it comes to security, it falls short. For simple apps or prototypes, it might be acceptable. But in production - especially when dealing with sensitive data - it's worth investing in more secure alternatives.

So, back to the question:
Was it ever that good?
Maybe... but its time is up.

If you found this helpful, save it, share it with your dev friends, and let me know: are you still using localStorage for tokens?

Top comments (2)

Collapse
 
dev_king profile image
Dev King

Thank bro. Very useful this post

Collapse
 
werliton profile image
Werliton Silva

thanku