2

Hello I have a react app which is using JWT for the authentification. We store this JWT in the local storage but the security in our team is telling us that it is not secure because this token can be access via Javascript.

They are asking using to store it in cookie instead. Because it is not secure. But for me cookie can be access in js too, so I don't see the point here.

Do you know why cookie storage should be more secure than local and session storage? Is it really the case?

What is the safest way to use JWT?

I'm not asking how should I use JWT but what is the best way to secure it.

Kevin
  • 4,823
  • 6
  • 36
  • 70
  • Possible duplicate of [How do I store JWT and send them with every request using react](https://stackoverflow.com/questions/39176237/how-do-i-store-jwt-and-send-them-with-every-request-using-react) – Vasileios Pallas Sep 09 '19 at 08:19
  • 2
    take a look at the third comment of this answer (don't do what the answer says) [https://stackoverflow.com/a/39177841/3763848](https://stackoverflow.com/a/39177841/3763848) – Vasileios Pallas Sep 09 '19 at 08:20

1 Answers1

1

Unlike localStorage data, you can set a cookie to HttpOnly, so that it is not accessible via javascript code.

Refer to MDN - Secure and HttpOnly cookies:

To help mitigate cross-site scripting (XSS) attacks, HttpOnly cookies are inaccessible to JavaScript's Document.cookie API; they are only sent to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and the HttpOnly flag should be set.

Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly
Nappy
  • 3,016
  • 27
  • 39