0

I'm building an Single Page App using AngularJS and Spring for backend. For the purpose of making my backend stateless, i recently researched on JWT(JSON Web Tokens). Now here's the confusion -

a. Should i send my JWT on response header to client and then save it to cookie through ngCookie ? If yes, how can i handle XSS attacks ?

b. Should i send the JWT in a cookie generated in backend and set cookie on client browser ?

c. Is JWT secure ? (Since I can decode JWT so easily, by the way , I'm gonna run my app on https)

If there's a better way of securing my app, I'd love to know that.

Thank you.

Please share any bit of info.

Ansh Agarwal
  • 171
  • 2
  • 13

2 Answers2

1

The JWT should be saved in local storage. See this video for more info:

https://www.youtube.com/watch?v=X7t2pdJYHNI

JWTs are not secure. You'll have to use https to encrypt your data.

Zane Hitchcox
  • 936
  • 1
  • 9
  • 23
  • Why should it be saved in local storage when storing data in cookies are much viable option – Ansh Agarwal Aug 07 '15 at 00:28
  • If you store it in a cookie and don't send it in the header, you miss out on some of the benefits (CORS, CSRF...). If you store it in the cookie and send it in the header, then it's just a waste of bandwidth. – Zane Hitchcox Aug 07 '15 at 16:44
0

a + b

  • JWT can be sent in:
  1. Authorization header
  2. request body
  3. url param
  4. cookie (if ^)
  • And stored both in local storage or cookie file (^).

c

  • JWT is encoded and signed. It isn't encrypted. So it shouldn't contain sensitive data (e.g. password).

  • But if you still need to add some private data try JWE (Json Web Encryption).

pazukdev
  • 155
  • 2
  • 13