After reading dozens of comments in this thread, I am nowhere closer to figuring out what's safer to to use for an SPA. Some have said that using authorization header is better to avoid CSRF attacks and is the way to authorize requests on mobile apps. Others said not to use it to avoid XSS attacks. Some have said to avoid localStorage because of XSS. Others say it's the same security level as a cookie, but then someone said if you specify the httponly and samesite flags, the cookies are stronger than localStorage. Some say JWT is not secure at all and wasn't designed for security, but yet others claim JWT is similar to using ssh keys. So then what? What does a developer have to do nowadays to get proper security in an app? From what I understood, the only two options I have are using JWTs in an httponly, strict samesite cookie along with a CSRF cookie, or use traditional session cookies.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
After reading dozens of comments in this thread, I am nowhere closer to figuring out what's safer to to use for an SPA. Some have said that using authorization header is better to avoid CSRF attacks and is the way to authorize requests on mobile apps. Others said not to use it to avoid XSS attacks. Some have said to avoid localStorage because of XSS. Others say it's the same security level as a cookie, but then someone said if you specify the httponly and samesite flags, the cookies are stronger than localStorage. Some say JWT is not secure at all and wasn't designed for security, but yet others claim JWT is similar to using ssh keys. So then what? What does a developer have to do nowadays to get proper security in an app? From what I understood, the only two options I have are using JWTs in an httponly, strict samesite cookie along with a CSRF cookie, or use traditional session cookies.