I don’t think that security measure is ignored. It’s heeding the warning, but after taking context into consideration, decide that it is irrelevant, or not worth the effort.
For example, there are client-side libraries that tries to protect from XSS by default. As well as browser’s security features such as content-security-policy and XSS protection. If we use that and do not do anything dangerous, that the arguments about XSS becomes less risky.
If a JWT is short-lived, it will expire, limiting the impact when a JWT is compromised. (Refresh tokens, on the other hand, become a more serious issue if compromised, and may need more security measures.) The thing is, context matters.
Then there are economics factor. Implementing server-side authentication may cost more (in terms of development effort) than just storing a JWT client-side. If I’m building a simple web-based client-side game with a leaderboard (no sensitive information is stored) using a secure-by-default library, then the benefits doesn’t outweigh the costs.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
This sounds like textbook argument from authority to me…
I don’t think that security measure is ignored. It’s heeding the warning, but after taking context into consideration, decide that it is irrelevant, or not worth the effort.
For example, there are client-side libraries that tries to protect from XSS by default. As well as browser’s security features such as content-security-policy and XSS protection. If we use that and do not do anything dangerous, that the arguments about XSS becomes less risky.
If a JWT is short-lived, it will expire, limiting the impact when a JWT is compromised. (Refresh tokens, on the other hand, become a more serious issue if compromised, and may need more security measures.) The thing is, context matters.
Then there are economics factor. Implementing server-side authentication may cost more (in terms of development effort) than just storing a JWT client-side. If I’m building a simple web-based client-side game with a leaderboard (no sensitive information is stored) using a secure-by-default library, then the benefits doesn’t outweigh the costs.