The Lounge is rated Safe For Work. If you're about to post something inappropriate for a shared office environment, then don't post it. No ads, no abuse, and no programming questions. Trolling, (political, climate, religious or whatever) will result in your account being removed.
Some people recommend local storage[^] (or session storage[^]). Others proclaim it's a terrible idea, because it could be stolen by XSS or a compromised CDN script.
The only other option appears to be a cookie. But if you need to access that from your SPA script, it can't be marked as "HTTP only", so the same XSS / compromised CDN script could steal it just as easily. And if it's sent automatically on every request to the API, then you're open to XSRF.
The client can't trust the server. The server can't trust the client. Neither of them can trust the pipe between them. And those of us who are supposed to make it all work keep getting distracted by the latest shiny framework that's supposed to fix everything, so long as you don't look too closely at the security implications.
The solution is simple: we just need to - OH LOOK! A SQUIRREL!
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
The secret is to frame it not as an "I NEED TEH CODEZ! HURRE PLZ ITS URGENTS!!!!" request, but as "FARK THIS ed stupid cluster blighted with the putrescent boils of a thousand rotten s is hopelessly and totally FARKED" rant.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt