Hi Everyone,
Just wanted to check if anyone has any experience in securing Single Page Webapps using JWT tokens. Challenge The challenge we are facing is how to store the JWT token at the client-side in the browser which will be used to securely call the back-end APIs. ?Background We are working on the custos UI portal and one of the design options that we are considering is to directly call the custos backend APIs from client-side javascript. The basic flow would look like: 1. User logins using username and password from the login screen using login API 2. JWT token and basic user-information is returned to the client in response. 3. In subsequent API requests, user will send this authentication token. But,how to store this token at client-side? ?Options 1. Store it? in localStorage - This is not considered to be secure as localstorage is vulnerable to XSS attacks- ? https://dev.to/rdegges/please-stop-using-local-storage-1i04 - 2. Store the JWT token in httpOnly cookie - Browser adds the cookie to all the API calls - vulnerable to CSRF attacks and need to be protected using CSRF token or in some other manner. Do you have any experience implementing these securely? 3. Have an authentication middleware(API gateway) - All user requests are routed to API-gateway which authenticates the users using sessionId and then re-routes the requests to the API by including the users JWT token or session information. More of a traditional way of doing things, but some big companies use this approach like Airbnb as per this article - https://medium.com/airbnb-engineering/building-services-at-airbnb-part-2-142be1c5d506? It would be really helpful if you can provide any inputs or share your experience with SPAs. Thanks and regards, Shivam Rastogi
