Should I store JWT tokens in IndexedDB?

karandave09 · May 20, 2021, 9:31am

After reading some articles, I realize that using localStorage and sessionStorage is a bad idea for storing JWT tokens, and cookies with httpOnly should be used instead.

As I read more and learn some about indexedDB today, I wonder if indexedDB is a secure option for storing JWT tokens as well?

Ref link: cookies - Should I store JWT tokens in IndexedDB? - Stack Overflow

dan.woda · May 24, 2021, 8:18pm

Hi @karandave09,

Welcome to the Community!

It looks like indexedDB is subject to the same risks as localstorage and won’t solve for this.

karandave09 · May 27, 2021, 7:40am

Hey @dan.woda,

Thank you for your reply.

Wanted a suggestion;
So where should one store jwt token for a complete client-side (kind of a widget) single page application?

dan.woda · May 27, 2021, 7:06pm

We recommend refresh token rotation, or silent authentication (based on a cookie session), to get new access tokens in SPAs without leaving them vulnerable to XSS attacks in localstorage.

If you haven’t looking into using our SPA SDK, I highly recommend it.

system · June 11, 2021, 7:07pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.