setting JWTs in local storage is a security risk.
Toerktumlare opened this issue · 1 comments
Toerktumlare commented
Setting JWTs in local storage is bad practice according to OWASP, and makes JWTs suceptible to session steal through for instance an XSS.
https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#local-storage
Do not store session identifiers in local storage as the data is always accessible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.
and
A single Cross Site Scripting can be used to steal all the data in these objects, so again it's recommended not to store sensitive information in local storage.
szerhusenBC commented
Thanks for that hint, I will change that.