I'm creating a JWT login mechanism for a site.
There are two very opposing opinions on how to store the JWT. Stormpath swear by cookies httponly: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage Auth0 swear by localStorage: https://auth0.com/blog/cookies-vs-tokens-definitive-guide
At first I sided with Auth0, then with Stormpath, but now I'm back to thinking localStorage is best. The pitfalls of localStorage is an xss attack can capture the JWT, the pitfall of auth0 is an csrf attack can steal the cookie.
It seems like the developer can make the cookie method really difficult for the hacker to gain access through CSRF, but not impossible. However, if the developer users localStorage and manages his codebase and sanitizes his inputs, it seems that the hacker has no way in, is this wrong?