DEV Community

Cover image for Day 29 of #100DaysOfCode: store JWT to HttpOnly Cookie instead of the localStorage
Jen-Hsuan Hsieh
Jen-Hsuan Hsieh

Posted on

Day 29 of #100DaysOfCode: store JWT to HttpOnly Cookie instead of the localStorage

Introduction

100DaysOfCode is a series of articles to record the process of learning programming. It just like a diary. I prefer to write small paragraph or paste a link to details so that I can write everyday.
Feel free to check the link if you want to know more details, thank you!

I develop an SPA application on Django/DWF recently. I used JSON Web Token (JWT) to authorize users for login and other operations. It’s Okay for me to create endpoints with JWT secure, exchange JWT with social medias’ access token.

However, the security issue is a critical issue for JWT. Where should we store the JWT? I tried some ways and wrote this note.

Details

Please refer to my article for details.

https://medium.com/a-layman/where-should-we-store-the-jwt-for-spa-memory-cookie-or-localstorage-2491912d8e79

It includes the following topics.

  1. The safest place: Browser’s Memory
  2. Should we store JWT in the LocalStorage?
  3. Double tokens policy: HttpOnly Cookie + CSRF token
  4. Summary

Articles

There are some of my articles. Feel free to check if you like!

Top comments (0)