Should JWT be stored in localStorage or cookie? [duplicate]

by

I like the XSRF Double Submit Cookies method which mentioned in the article that @pkid169 said, but there is one thing that article doesn’t tell you. You are still not protected against XSS because what the attacker can do is inject script that reads your CSRF cookie (which is not HttpOnly) and then make a request to one of your API endpoints using this CSRF token with JWT cookie being sent automatically.

So in reality you are still susceptible to XSS, it’s just that attacker can’t steal you JWT token for later use, but he can still make requests on your users behalf using XSS.

Whether you store your JWT in a localStorage or you store your XSRF-token in not http-only cookie, both can be grabbed easily by XSS. Even your JWT in HttpOnly cookie can be grabbed by an advanced XSS attack.

So in addition of the Double Submit Cookies method, you must always follow best practices against XSS including escaping contents. This means removing any executable code that would cause the browser to do something you don’t want it to. Typically this means removing // <![CDATA[ tags and HTML attributes that cause JavaScript to be evaluated.

More Related Contents:

  1. Where to store JWT in browser? How to protect against CSRF?
  2. What is the best way to implement “remember me” for a website? [closed]
  3. Are HTTP cookies port specific?
  4. If you can decode JWT, how are they secure?
  5. JWT (JSON Web Token) automatic prolongation of expiration
  6. What is the best way to prevent session hijacking?
  7. JWT refresh token flow
  8. Where to save a JWT in a browser-based application and how to use it
  9. Is it safe to put a jwt into the url as a query parameter of a GET request?
  10. Do I have to store tokens in cookies or localstorage or session?
  11. How to manually decrypt an ASP.NET Core Authentication cookie?
  12. Best practices for server-side handling of JWT tokens [closed]
  13. Remember me Cookie best practice?
  14. is it bad to pass jwt token as part of url?
  15. Setting cookie in iframe – different Domain
  16. Fundamental difference between Hashing and Encryption algorithms
  17. Detecting if a browser is using Private Browsing mode
  18. Best way to handle security and avoid XSS with user entered URLs
  19. How do you protect your software from illegal distribution? [closed]
  20. How can I throttle user login attempts in PHP
  21. Why is using a Non-Random IV with CBC Mode a vulnerability?
  22. What should every programmer know about security? [closed]
  23. Stopping users voting multiple times on a website
  24. How do I store and retrieve credentials from the Windows Vault credential manager?
  25. MVC 6 Bind Attribute disappears?
  26. How will a server become vulnerable with chmod 777?
  27. When the bots attack! [closed]
  28. Should I impose a maximum length on passwords?
  29. Google Authenticator available as a public service?
  30. Should be used for JSF 2.2 CSRF protection?

Leave a Comment