Should I store JWT tokens in IndexedDB?

karandave09 · May 20, 2021, 9:31am

After reading some articles, I realize that using localStorage and sessionStorage is a bad idea for storing JWT tokens, and cookies with httpOnly should be used instead.

As I read more and learn some about indexedDB today, I wonder if indexedDB is a secure option for storing JWT tokens as well?

Ref link: cookies - Should I store JWT tokens in IndexedDB? - Stack Overflow

dan.woda · May 24, 2021, 8:18pm

Hi @karandave09,

Welcome to the Community!

It looks like indexedDB is subject to the same risks as localstorage and won’t solve for this.

karandave09 · May 27, 2021, 7:40am

Hey @dan.woda,

Thank you for your reply.

Wanted a suggestion;
So where should one store jwt token for a complete client-side (kind of a widget) single page application?

dan.woda · May 27, 2021, 7:06pm

We recommend refresh token rotation, or silent authentication (based on a cookie session), to get new access tokens in SPAs without leaving them vulnerable to XSS attacks in localstorage.

If you haven’t looking into using our SPA SDK, I highly recommend it.

Topic		Replies	Views
Where to store JWT? JWT.io	2	4348	July 26, 2019
Isn't storing a JWT in a non-httponly cookie just as insecure as local storage? JWT.io cookie , localstorage	4	9744	August 21, 2020
Which is the best way to store the auth0 token for a web app JWT.io auth0 , localstorage	7	13851	September 2, 2019
Here is a question I sent to Mosh Hamidani and Max SwartzMuller about storing authentication tokens on local storage JWT.io	8	3874	April 16, 2020
Where to store refresh token on WEB? JWT.io jwt , login	2	4897	July 8, 2019

Should I store JWT tokens in IndexedDB?

Related topics