Menu
After reading some articles, I realize that using localStorage and sessionStorage is a bad idea for storing JWT tokens, and cookies with httpOnly should be used instead.
As I read more and learn some about indexedDB today, I wonder if indexedDB is a secure option for storing JWT tokens as well?
765
To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that's only sent in HTTP requests to the server. It's never accessible (both for reading or writing) from JavaScript running in the browser.
A JWT needs to be stored in a safe place inside the user's browser. Any way,you shouldn't store a JWT in local storage (or session storage). If you store it in a LocalStorage/SessionStorage then it can be easily grabbed by an XSS attack.
Storing Your JWT/Auth Token The attacker could then make false requests, modify your user's data in the database, and do a lot of damage for your application as well as users. Hence, it's always best to store JWTs in http only cookies.
There are two critical steps in using JWT securely in a web application: 1) send them over an encrypted channel, and 2) verify the signature immediately upon receiving it. The asymmetric nature of public key cryptography makes JWT signature verification possible.
The short answer is NO, as you are pretty much convinced using localStorage and sessionStorage is a bad idea. IndexedDB is also vulnerable to cross-site scripting (XSS) attacks similar to local storage.
Regardless of security -
110
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
