I'm creating an application with a react.js frontend and a node.js REST API backend.
When searching how to handle authentication mechanism, the answers are always the same, using JWT VS session ID and storing in local storage VS cookies, with the following warnings:
Local storage is vulnerable to XSS, don't do itCookies are vulnerable to CSRF, even if they are httponly and secure, don't do itDouble Submit Cookies method is vulnerable to XSS
Basically, it seems whichever solution we chose, we will always be vulnerable to either XSS or CSRF.
I don't get it. It's 2020, and it seems no secure authentication mechanism exist? But then,
Does it mean stackoverflow.com is vulnerable to XSS or CSRF?
Does it mean facebook.com is vulnerable to XSS or CSRF?
Does it mean twitter.com is vulnerable to XSS or CSRF?
Does it mean google.com is vulnerable to XSS or CSRF?
- Does it mean amazon.com is vulnerable to XSS or CSRF?
I don't get it.
I think these websites ARE secure regarding authentication, while they don't all use 2 factor authentication nor OAuth nor ask the user to login again at each page refresh.
So why is everybody telling everybody there are 2 solutions (one vulnerable to XSS and one vulnerable to CSRF) if all those websites are secure? How do they secure their authentication and why couldn't we do the same?
