I am using Rails API to generate a JWT on user login. Now I need to persist this token. After some reading, I found out that there are two ways of doing this. I can either use local storage or cookies. They both have the problem of XSS and CSRF respectively. I am not sure how this should work. I am using react in the frontend.
Session or local storage is what I use nowadays. You need to take measures against csrf when using cookies, but local storage is only accessible for your JavaScript so as far as I understood the documentation of multiple auth providers it is not necessary in the case that you don't use cookies for any sensitive data.
You still need to watch out for people inserting malicious js into your app of course.
Marcus Pohorely
CTO/CEO @Pagelanes.com
@ankitsinghaniyaz You do not need to take extra extreme care where you store the token regarding security (besides security standards of course). You can even display the token to the user, it can be unfolded by everyone (using jwt.io f.e.). Once someone tampers with the Token in any way it gets invalid.
So, storing in localstorage should be fine in 2016. Your Domain is the only one who has access to this store.