Store jwt on frontend

Hello guys, I hope you are all doing well. I am working on react app. As backend I am using nodejs. So, I need to implement an authentication/authorization system. I am thinking of using jwt. But I am very confused about where to store jwt on client side. Storing it on localstorage or cookie is problematic ,because it’s vulnerable to xss and csrf attack. Can you guys suggest me where to store it securely and if there is any extra security measure it need to take?

Hi @Ankit006 !

I am still newer to backend but from what I understand you can store your jwt in HttpOnly cookie.

I did a quick google search and there are tons of tutorials that cover this.

But also, maybe one of the pros can give other solutions too.

I feel like no matter what approach you take with the frontend, there will always be some sort of security risk. I think the cookie approach might be a little more secure.
I could be wrong but I don’t know if there is an option that will be 100% effective against attacks.

Hope that helps!

1 Like

Front end, by its open nature, is not very secure. There are some measures you can take, but you’re not really locking down the client. You might use https and lock down the channel of communication, and you might create very strict server roles, limiting outside access and thus better securing the server, but by it’s very nature the client side is out of your control.

You can store the jwt in an httpOnly cookie, yes. My personal approach (which is not very RESTful) is to store the jwt in the users table on the server with some other identifying information. And i use authorization roles.

Think of the client side as a window and the server side the house. There may be other windows (REST APIs, RSS feeds, Graphql ports) that allow different views into the house. You can’t really control who will look in those various windows but you can manage what they can see.

1 Like

Thank you for your reply. Well, But if I store jwt on the database, then I need some information in order to retrieve it. Then where should I store that kind of information?

Thank you for your reply. Yes, httponly cookie is good option and I didn’t find any other good solution.

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.