Storing access tokens in localstorage
Opened this issue · 0 comments
SamMousa commented
Storing access tokens in localStorage is a bad practice.
Here's an interesting rant on it: https://www.rdegges.com/2018/please-stop-using-local-storage/
The summary is that when using this kind of approach to storing a session secret any XSS attack will lead to leakage of the access token.
I don't think these risks can be fully mitigated when running purely in the client; if there is a server-side component a solution is to use session cookies.
Some mitigation might be possible by using a ServiceWorker that injects the credentials for each fetch.