Click here to Skip to main content
14,271,130 members

Welcome to the Lounge

   

For discussing anything related to a software developer's life but is not for programming questions. Got a programming question?

The Lounge is rated Safe For Work. If you're about to post something inappropriate for a shared office environment, then don't post it. No ads, no abuse, and no programming questions. Trolling, (political, climate, religious or whatever) will result in your account being removed.
 
GeneralRe: Happy birthday... Pin
Brisingr Aerowing21-May-19 14:18
professionalBrisingr Aerowing21-May-19 14:18 
GeneralRe: Happy birthday... Pin
RickZeeland21-May-19 20:24
mveRickZeeland21-May-19 20:24 
GeneralRe: Happy birthday... Pin
DaveAuld21-May-19 22:59
protectorDaveAuld21-May-19 22:59 
GeneralRe: Happy birthday... Pin
CPallini21-May-19 21:28
mveCPallini21-May-19 21:28 
GeneralRe: Happy birthday... Pin
CodeWraith22-May-19 0:20
memberCodeWraith22-May-19 0:20 
RantElephant Security For Elephant Public Facing Elephant API Pin
Nagy Vilmos21-May-19 5:18
professionalNagy Vilmos21-May-19 5:18 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
OriginalGriff21-May-19 5:46
protectorOriginalGriff21-May-19 5:46 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Richard Deeming21-May-19 5:46
mveRichard Deeming21-May-19 5:46 
As always, the answer seems to be "it depends". Smile | :)

Can you avoid storing it at all (other than in a Javascript variable)? The user will have to sign in each time they load your app, but that shouldn't happen too often in a SPA.

Some people recommend local storage[^] (or session storage[^]). Others proclaim it's a terrible idea, because it could be stolen by XSS or a compromised CDN script.

The only other option appears to be a cookie. But if you need to access that from your SPA script, it can't be marked as "HTTP only", so the same XSS / compromised CDN script could steal it just as easily. And if it's sent automatically on every request to the API, then you're open to XSRF.

There don't seem to be any good answers.

Please Stop Using Local Storage - DEV Community 👩‍💻👨‍💻[^]
Where to Store JWTs - Cookies vs HTML5 Web Storage | Stormpath[^]
local storage - Is it safe to store a jwt in localStorage with reactjs? - Stack Overflow[^]
local storage - CSRF protection with JSON Web Tokens - Stack Overflow[^]



"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer

GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Gary Wheeler21-May-19 7:12
memberGary Wheeler21-May-19 7:12 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Richard Deeming21-May-19 7:24
mveRichard Deeming21-May-19 7:24 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Gary Wheeler21-May-19 7:45
memberGary Wheeler21-May-19 7:45 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
OriginalGriff21-May-19 8:01
protectorOriginalGriff21-May-19 8:01 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Slow Eddie22-May-19 2:03
professionalSlow Eddie22-May-19 2:03 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Slacker00721-May-19 8:11
professionalSlacker00721-May-19 8:11 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Richard Deeming21-May-19 8:52
mveRichard Deeming21-May-19 8:52 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Slacker00721-May-19 8:54
professionalSlacker00721-May-19 8:54 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
RickZeeland21-May-19 9:38
mveRickZeeland21-May-19 9:38 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Gary Wheeler22-May-19 1:32
memberGary Wheeler22-May-19 1:32 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
RickZeeland22-May-19 2:27
mveRickZeeland22-May-19 2:27 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Dan Neely22-May-19 3:28
memberDan Neely22-May-19 3:28 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Nagy Vilmos22-May-19 4:42
professionalNagy Vilmos22-May-19 4:42 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Urban Cricket21-May-19 8:18
memberUrban Cricket21-May-19 8:18 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Slacker00721-May-19 8:29
professionalSlacker00721-May-19 8:29 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Urban Cricket21-May-19 8:33
memberUrban Cricket21-May-19 8:33 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Slacker00721-May-19 8:38
professionalSlacker00721-May-19 8:38 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.