I'm working on my first application and I was sending both access and refresh token (jwt) in the response as I've learned before but the frontend developer does not really know where it can be stored safely as you can find different opinions about localStorage and sessionStorage. I continued investigating and I also read about sending the token not on the response but as a httpOnly cookie.
What really is the best way to send and store a jwt token?
Never store a JWT token in local / session storage, as this leaves room for XSS attacks. If you must store it somewhere you should do it in a cookie with the HttpOnly and secure flags on.
I'm in the same situation as you.
There seems to be like 20 different opinions on this topic, and each solution comes with its own security vulnerabilities.
Setting up as HttpOnly cookies is apparently safer, but if your site is vulnerable to XSS, then the attacker just has to make any request to a protected endpoint, and your JWT is auto sent with your HttpOnly cookie. How is that safer?
Here is some information from blog.angular-university.io: https://blog.angular-university.io/angular-jwt-authentication/#step4storingandusingthejwtontheclientside
- Step 3 - Sending a JWT back to the client
- Where to store a JWT Session Token?
- Cookies vs Local Storage
- Step 4 - Storing and using the JWT on the client side
- Checking User Expiration
...
Once we receive the JWT on the client, we need to store it somewhere, otherwise, it will be lost if we refresh the browser and would have to log in again.
There are many places where we could save the JWT (other than cookies). A practical place to store the JWT is on Local Storage, which is a key/value store for string values that is ideal for storing a small amount of data.
