Should LocalStorage be used to store api tokens?

[justinsunho]

Noticed that localStorage is being used to store access and refresh tokens, and Local Storage can be vulnerable to XSS attacks. An alternative could be using http-only cookies.

See:

• https://codeburst.io/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end-70dc0a9b3ad3
• https://www.ducktypelabs.com/is-localstorage-bad/
• https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html

Ofc, there are limitations (time + complexity) for deciding how the tokens can be stored. I mainly wanted to open up discussion on possible solutions and considerations.

herokuapp.com is included in the Mozilla Foundation’s Public Suffix List. This list is used in recent versions of several browsers, such as Firefox, Chrome and Opera, to limit how broadly a cookie may be scoped. In other words, in browsers that support the functionality, applications in the herokuapp.com domain are prevented from setting cookies for *.herokuapp.com.

So using localStorage is the only option for saving tokens.