search

SaiUpadhyayula / angular-reddit-clone

This repository contains source code for the Reddit Clone application built in Angular, the backend is built using Spring boot - https://github.com/SaiUpadhyayula/spring-reddit-clone
177 stars 151 forks source link

storing tokens in localStorage is a security risk #1

Open Toerktumlare opened 3 years ago

Toerktumlare commented 3 years ago

https://github.com/SaiUpadhyayula/angular-reddit-clone/blob/598e431a2861e1b1586ee1ffd4555a1ea059861d/src/app/auth/shared/auth.service.ts#L46

Storing JWTs in local storage is a security risk in accordance to OWASP. LocalStorage is accessible from javascript which means in case of en XSS any token can be stolen.

OWASP Local Storage

quotes from the text:

A single Cross Site Scripting can be used to steal all the data in these objects, so again it's recommended not to store sensitive information in local storage.

and

Do not store session identifiers in local storage as the data is always accessible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.

SaiUpadhyayula commented 3 years ago

@Tandolf Thank you for taking the time to suggest the changes, I highly appreciate it. I agree, I will plan to change this implementation.