Should LocalStorage be used to store api tokens?

[justinsunho]

Noticed that localStorage is being used to store access and refresh tokens, and Local Storage can be vulnerable to XSS attacks. An alternative could be using http-only cookies.

See:

• https://codeburst.io/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end-70dc0a9b3ad3
• https://www.ducktypelabs.com/is-localstorage-bad/
• https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html

Ofc, there are limitations (time + complexity) for deciding how the tokens can be stored. I mainly wanted to open up discussion on possible solutions and considerations.

[ghost]

herokuapp.com is included in the Mozilla Foundation’s Public Suffix List. This list is used in recent versions of several browsers, such as Firefox, Chrome and Opera, to limit how broadly a cookie may be scoped. In other words, in browsers that support the functionality, applications in the herokuapp.com domain are prevented from setting cookies for *.herokuapp.com.

So using localStorage is the only option for saving tokens.