2

I'm using Angular 10 for front-end. I'm getting JWT from Back end services. I need to store my Okta JWT securely in browser. I studied about storing token in window.sessionStorage or window.localStorage or HTTP only secure cookie. But, I'm not sure how to avoid XSS and XSRF attacks.

What is the best approach to store JWT securely and traverse adhering to XSS and XSRF prevention?

Thanks in advance

Souvik Sarkar
  • 49
  • 1
  • 8
  • 3
    You can't store anything securely in a browser. Just store your JWT. You can even display it on your website, in the face of the world if you want. It doesn't matter, because your token will be validated server-side anyway, not browser-side. – Jeremy Thille Dec 18 '20 at 09:33
  • Does this answer your question? [Where to store JWT in browser? How to protect against CSRF?](https://stackoverflow.com/questions/27067251/where-to-store-jwt-in-browser-how-to-protect-against-csrf) – Lin Du Dec 18 '20 at 10:49
  • XSS and CSRF attacks are have nothing whatsoever to do with how you store a JWT token. – Quentin Dec 18 '20 at 11:41
  • In mycase i stored JWT token in LocalStorage, I have a middleware in backend side, upon request im validating and verifying the token. – Akram Hossain Dec 18 '20 at 12:13
  • you may encryot token using AES and store, decrypt in run time to make any server side calls – souvikbachhar Dec 18 '20 at 12:47

1 Answers1

2

It is not possible for the data held on the client side to be "secure". There is nothing more than a JsonWebToken implementation with a short expiration time. By keeping them in local storage, you can additionally encrypt them and decrypt them in the case of the need to use the token to communicate with the server.

I recommend reading this article by George Koniaris.

Krzysztofz01
  • 432
  • 5
  • 13
  • In that article there is not a single recommendation about encyption though. But I think encryption is a good basic first alternative. – Pepe Alvarez Jul 23 '22 at 16:31