Token Storage Stategies
Storing access token in browser local or session storage is considered harmful in terms of security (as any JS code on the domain can access them, leaving some doors open for XSS) 1, 2, 3.
Two options remain:
- Using httponly (not accessible via JS) cookies. This requires either using HTTPS or the using the same domain (SPA and backend), otherwise it will be blocked by browsers.
- relying on reauthentication each time we need and store the token in the app directly while in use (less safe)
The cookie option should be preferred, except if it cannot be used, for instance for local development using an online backend. The app is capable of choosing by itself between the two by analysing the url of the backend and preferring cookies.