Cross Site Scripting (XSS) Vulnerability #272
Description
Both the creators of the JWT standard and OWASP say not to store tokens in local storage as it makes your site vulnerable to cross-site-scripting, yet you store the JWT tokens in local storage (jwt-react/src/api/auth.js).
- "You also should not store sensitive session data in browser storage due to lack of security." https://jwt.io/introduction/
- "A single Cross Site Scripting can be used to steal all the data in these objects, so again it's recommended not to store sensitive information in local storage." https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#local-storage
I'm looking to implement something like this and haven't found a good alternative yet (maybe HTTP cookies but then you need to address CSRF). I'm curious how this could be addressed.