New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

setting JWTs in local storage is a security risk. #113

Open

Toerktumlare opened this issue Jun 19, 2021 · 1 comment

Assignees

Labels

Toerktumlare commented Jun 19, 2021

Setting JWTs in local storage is bad practice according to OWASP, and makes JWTs suceptible to session steal through for instance an XSS.

https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#local-storage

Do not store session identifiers in local storage as the data is always accessible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.

and

A single Cross Site Scripting can be used to steal all the data in these objects, so again it's recommended not to store sensitive information in local storage.

Owner

szerhusenBC commented Jun 19, 2021

Thanks for that hint, I will change that.

szerhusenBC self-assigned this

szerhusenBC added the enhancement label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment