re: Please Stop Using Local Storage VIEW POST

re: Good article, but the language is too strong. You made a few good points but also some arguments are controversial. I am not sure if using authen...

I hope nobody is putting a few MB of data in my localstorage either. If you use Authorization header, the token can be extracted by XSS etc. and sent to malicious servers and they can then use it however they wish.

If you use a secure; httpOnly cookie it can't be stolen by malicious JS and is bound to your browser's security model. Add to that proper CSRF tokens, and e.g. sameSite=strict and you've got a decent system.

Code of Conduct Report abuse