szerhusenBC/jwt-spring-security-demo

setting JWTs in local storage is a security risk.

Toerktumlare opened this issue · 1 comments

Setting JWTs in local storage is bad practice according to OWASP, and makes JWTs suceptible to session steal through for instance an XSS.

https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#local-storage

Do not store session identifiers in local storage as the data is always accessible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.

and

A single Cross Site Scripting can be used to steal all the data in these objects, so again it's recommended not to store sensitive information in local storage.

Thanks for that hint, I will change that.