Cookie best-practices on the Frontend

There seems to be some confusion about where to store authentication keys on the frontend. Do not use localstorage for that as it makes you susceptible to Cross-Site Scripting (XSS) attacks. Instead, you should use cookies. They have certain security measures that make stealing sensitive data less likely. When creating cookies, you should add the following attributes:

• Secure Cookies will only be sent back to server on HTTPS.
• HttpOnly Forbids JavaScript from accessing the cookie, mitigates XSS attacks.
• SameSite=Strict Only sends cookies for same-origin requests, mitigates CSRF attacks.

Also note that whether or not you are using JWT does not change that. JSON Web Tokens do not have to be stored in localstorage and they do not have to be transferred in an HTTP header. The JWT Specification does not mention any preferred way of transfer at all. A JWT absolutely can be securely stored in cookies.

• [MDN] Set-Cookie
• [MDN] SameSite cookies
• [OWASP] Cookies
• [OWASP] Cross Site Scripting Prevention (XSS) Cheat Sheet
• [OWASP] Cross Site Request Forgery (CSRF)