Greetings, I am using Angular 7 with angular material for my client application that connects and obtains Access token from IRIS Authorization Server to access REST APIs that reside on the resource server with delegated authority. The only problem that I am facing right now is exposing the important information such as JWT (encoded Access token) token information which stores in the browser’s local storage and not secure to handle XSS Attacks.
Right now, I am having hard time finding an alternative but secure option to store access token on the server side (client WEB SERVER) instead of browser’s local storage to make my client application any less vulnerable to XSS attacks as Local storage is designed to be accessible by JavaScript, so it doesn't provide any XSS protection. There are some good suggestions that I have googled including the following with some pros and cons. - a WEB Server-side session that maintains sensitive data User IDs, Session IDs,,JWTs, API keys, etc. - Store in cookies with “httpOnly” option which also less vulnerable to XSS attacks - indexedDB solution which also has some caveats Please let me know if anyone has implemented a better and secure way of storing token information on the server side (Client Web server) and incorporated the information in client application to send token inside the HTTP (Header) request for consuming REST APIs -- You received this message because you are subscribed to the Google Groups "Angular and AngularJS discussion" group. To unsubscribe from this group and stop receiving emails from it, send an email to angular+unsubscr...@googlegroups.com. To post to this group, send email to angular@googlegroups.com. Visit this group at https://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
