search

szerhusenBC / jwt-spring-security-demo

A demo for using JWT (Json Web Token) with Spring Security and Spring Boot 2
MIT License
3.04k stars 1.33k forks source link

setting JWTs in local storage is a security risk. #113

Open Toerktumlare opened 3 years ago

Toerktumlare commented 3 years ago

Setting JWTs in local storage is bad practice according to OWASP, and makes JWTs suceptible to session steal through for instance an XSS.

https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#local-storage

Do not store session identifiers in local storage as the data is always accessible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.

and

A single Cross Site Scripting can be used to steal all the data in these objects, so again it's recommended not to store sensitive information in local storage.

szerhusenBC commented 3 years ago

Thanks for that hint, I will change that.