Skip to content

Never use localstorage for JWT (Json Web Tokens)

JWTs are an industry-standard way of storing authentication tokens for users, which are just strings of information that security identifies a user logged into a site or app.

At AuthRamp, we've noticed an unfortunate trend of web developers storing JWTs in web browsers' localstorage API. At first glance, doing so is tempting, however upon closer inspection, it is a security bluder that we warn against.

If you store a JWT (or any other secret) in localstorage, it is readable by any JavaScript installed on your site, from Google Analytics to your support chat widget. Even if you trust all JavaScript widgets you purposefully installed (and you shouldn't), if you fall victim to a cross-site scripting attack or other malicious code that manages to run inside your JavaScript's runtime environment, those secrets are vulnerable to exploitation.

Always use http-only secure cookies

Unlike localstorage data, http-only secure cookies are not readable by the client at all after they've been written. Once committed to storage, not even your JavaScript client can read the content of a JWT securely entrusted to the browser's http-only cookie store, ensuring that no malicious JavaScript -- not even JavaScript your site may inadvertently serve -- will compromise a user's credentials.