I am using JWT tokens to authorize requests to my API from an angular website and i am saving the token in local storage but the problem is it is prone to attacks because attackers can just easily get the token from the local storage and easily get what is stored in the token or do any other thing with the token, is there a way to store this tokens safely?
Asked
Active
Viewed 354 times
-1
-
Not sure you're on the right track if you want local store JWT tokens. https://jwt.io/introduction/. – Thomas Johansen Apr 03 '18 at 12:28
-
It is fine if you store the token in the local storage, just be sure it doesn't contain any sensitive data. To make sure of that decrypt it with https://jwt.io – Boanta Ionut Apr 03 '18 at 12:28
-
Also this will definetly help you make your mind: https://auth0.com/docs/security/store-tokens – Boanta Ionut Apr 03 '18 at 12:31
-
are you developing SPA ? good read https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage – DrNio Apr 03 '18 at 12:33
-
1Any user will always be able to see tokens on their own computer and then use them in arbitrary requests. You cannot hide them. – deceze Apr 03 '18 at 12:36
1 Answers
1
As I understand, Your concern is that other users can't use the token for fake use(API calls)
For that you can set a smaller timeout for token, like 5-10 min and keep updating it. So even if someone gets it, he can't use it after 5 min.
Some developers even use 10-20 seconds timeout to avoid this.
You can read this link for more usage - JWT
Rahul
- 863
- 6
- 23