This repository contains source code for the Reddit Clone application built in Angular, the backend is built using Spring boot - https://github.com/SaiUpadhyayula/spring-reddit-clone
177
stars
151
forks
source link
storing tokens in localStorage is a security risk #1
Storing JWTs in local storage is a security risk in accordance to OWASP. LocalStorage is accessible from javascript which means in case of en XSS any token can be stolen.
A single Cross Site Scripting can be used to steal all the data in these objects, so again it's recommended not to store sensitive information in local storage.
and
Do not store session identifiers in local storage as the data is always accessible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.
https://github.com/SaiUpadhyayula/angular-reddit-clone/blob/598e431a2861e1b1586ee1ffd4555a1ea059861d/src/app/auth/shared/auth.service.ts#L46
Storing JWTs in local storage is a security risk in accordance to OWASP. LocalStorage is accessible from javascript which means in case of en XSS any token can be stolen.
OWASP Local Storage
quotes from the text:
and