Context: I'm looking at storage solutions for JWT tokens on a single page application.
- Storing the JWT in the local storage is unsafe and prone to XSS attacks.
- Storing the JWT in a secure / HTTP only cookie is safer, but prone to CSRF attacks.
I'm studying the following scenario:
Upon authentication, a refresh token is stored in an http only secure cookie. It can only be used to get an access token.
Upon authorisation, the backend responds with a JWT access token. The header and payload part of the JWT are inside the response body. The token signature is not sent and is set in an http only secure cookie (same-site strict if possible, but let's assume it's not the case). The header + payload is stored in memory.
The JWT contains the following claims
- iat, nbf, exp (guessable IMO)
- claims relative to the user identity and permissions (guessable if the user identity is known)
- jti, containing a cryptographically secure random number (in my case generated with python secrets)
When making requests, the header + payload is sent via XHR/fetch by the SPA in an Authorisation header. The signature is sent along with the cookies. The backend concatenates both and verify the signature.
- Is this mechanism safe against CSRF attacks ? Does the jti claims makes the Authorisation token + signature cookie a valid CSRF mitigation technique ?
- Is this mechanism indeed safer against XSS attacks than storing the JWT inside the local storage ? (Could an attack using XSS also easily steal the signature, like with a TRACE exploit).
Note: I've read this question which is similar, but overly broad so I'm posting this to get a more precise answer.