Security S-07
localStorage =
Readable by Any Script.
localStorage
localStorage.setItem("jwt", token)
Any script can read it
httpOnly cookie
Set-Cookie: token=…; HttpOnly
JavaScript cannot access
LaunchYourVibe S-07
JWTs stored in localStorage are readable by any script on the page. httpOnly cookies are not. One XSS vulnerability with localStorage tokens = full account takeover.
View all cards