How to securely store JWT in browser?

1
votes

I'm using Angular 10 for front-end. I'm getting JWT from Back end services. I need to store my Okta JWT securely in browser. I studied about storing token in window.sessionStorage or window.localStorage or HTTP only secure cookie. But, I'm not sure how to avoid XSS and XSRF attacks.

What is the best approach to store JWT securely and traverse adhering to XSS and XSRF prevention?

Thanks in advance

1
javascriptnode.jsangularbrowserjwt
You can't store anything securely in a browser. Just store your JWT. You can even display it on your website, in the face of the world if you want. It doesn't matter, because your token will be validated server-side anyway, not browser-side.Jeremy Thille
Does this answer your question? Where to store JWT in browser? How to protect against CSRF?slideshowp2
XSS and CSRF attacks are have nothing whatsoever to do with how you store a JWT token.Quentin
In mycase i stored JWT token in LocalStorage, I have a middleware in backend side, upon request im validating and verifying the token.Akram Hossain
you may encryot token using AES and store, decrypt in run time to make any server side callssouvikbachhar

1 Answers

1
votes

It is not possible for the data held on the client side to be "secure". There is nothing more than a JsonWebToken implementation with a short expiration time. By keeping them in local storage, you can additionally encrypt them and decrypt them in the case of the need to use the token to communicate with the server.

I recommend reading this article by George Koniaris.