Do not store JWT in HTML5 Local Storage

[christophwolff]

The HTML Local Storage can be compromised because it can be read by JavaScript and the same Domain. (XSS) Use Cookies instead. They are not accessible by JavaScript.

Ref.: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

[dmethvin]

@christophwolff So the best way is to use httpOnly cookies. What is running on the server side in order to set the Cookie: header? Similarly, the XSRF cookie requires server support.

[akrawchyk]

Or just don't commit them to local storage and set them in the Vuex store in memory:

• https://auth0.com/docs/security/store-tokens#don-t-store-tokens-in-local-storage
• https://community.auth0.com/t/why-is-storing-tokens-in-memory-recommended/17742