storing tokens in localStorage is a security risk
Opened this issue · 1 comments
Toerktumlare commented
Storing JWTs in local storage is a security risk in accordance to OWASP. LocalStorage is accessible from javascript which means in case of en XSS any token can be stolen.
quotes from the text:
A single Cross Site Scripting can be used to steal all the data in these objects, so again it's recommended not to store sensitive information in local storage.
and
Do not store session identifiers in local storage as the data is always accessible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.
SaiUpadhyayula commented
@Tandolf Thank you for taking the time to suggest the changes, I highly appreciate it. I agree, I will plan to change this implementation.