Article URL: https://neciudan.dev/most-secure-way-to-store-auth-token Comments URL: https://news.ycombinator.com/item?id=48869243 Points: 34 # Comments: 9

Where should your auth token live so an XSS bug can't steal it? Here's how to build auth that survives the crazy non-secure world we live in. Hi there, it's Dan, a technical co-founder of an ed-tech startup, host of Señors at Scale - a podcast for Senior Engineers, Organizer of ReactJS Barcelona meetup, international speaker and Staff Software Engineer, I'm here to share insights on combining technology and education to solve real problems. I write about startup challenges, tech innovations, and the Frontend Development. Subscribe to join me on this journey of transforming education through technology. Want to discuss Tech, Frontend or Startup life? Let's connect. Ask ten frontend developers where to store a login token, and you’ll get four answers and an argument. And because each approach addresses different concerns, the debates continue without resolution. So let’s clarify once and for all: What are the options to store a token, which are the most secure and what are the use cases. I go much deeper on XSS and CSRF in my FREE frontend security course, but I wanted to tackle auth on its own. I’ve written this, you might have too. Every “build a full-stack app in an afternoon” article and tutorial has written this. The user submits a login form; the server checks the password and returns a token. You put it in localStorage and attach it to every request from then on: