Storing JWTs

Using Javascript to Store JWTs

Security Considerations of Local Storage

What could go wrong?

How Cross-Site Scripting Attacks (XSS) are Performed and Mitigated Techniques

In this video, we discuss Input Sanitation . To clarify this concept, imagine a user submits HTML as part of their name in a form. When you later pull this information from your database and insert it into the HTML template for the website, the browser engine will render this text on the page. However, if the text contains HTML like <b>Gabe</b> this would be interpreted in the browser as HTML and render as Gabe . This becomes a problem if malicious code, such as javascript, is saved in place of a valid string. In other words, this malicious text will be interpreted by the browser as code and executed on the client. Input Sanitation transforms characters like < to < which will not be interpreted as code and print as text (<). This step should always be performed on the server to prevent someone from sending the malicious text directly to your server using curl or Postman .

We also mentioned NPM or Node Package Manager this is an online database of publicly submitted libraries you can use in your javascript projects. Other public databases of code libraries such as PIP for Python or Brew for Mac . Some care should be taken to ensure that these packages are compliant with your license and security policies and are monitored for security vulnerabilities.

Additional Reading

• Google Chrome Storage documentation
• MDN Web Docs LocalStorage Documentation

Security Considerations of Local Storage

• Why Cookies Aren't Necessarily Safer
• OWASP XSS Cheat Sheet
• Using Refresh Tokens with Auth0
• HTTP Only Cookies
• Getting Cookies in Flask

Alternatives to LocalStorage

• localForage javascript library capable of more complex storage tasks.
• HttpOnly Cookies so javascript can't access the token at all.