Is it safe to save AuthToken in Local Storage?

Options
REN
REN Member
in Bubble

I am not a security expert, but -- like everyone else -- I definitely need to secure my apps.

I have been searching for weeks for a definitive answer to the question:

“Is it safe to save in the LocalStorage the AuthToken of API calls executed via Front-End?

In summary, my research so far has produced two broad findings:

1) Developers have always been taught to save in local storage this type of token.

2) The only real downside to doing so - felt by many but not all - lies in the risk of XSS attacks.

Does anyone who has already addressed this problem and/or has the expertise to do so feel like sharing useful material/expertise here to help solve the problem? Best Practice? Most secure solution?

For example, who connects Bubble frontend to Xano backend via authenticated API calls that don't go through the API Connector (using the SDK connector), how do they handle the AuthToken?

Thanks for your help!

· Share on Twitter

Answers

  • Ray Deck
    Ray Deck Trusted Xano Expert ✭✭✭
    Options

    saving in an http only cookie is more secure, but storing in local storage is simpler and highly secure. I do the latter all the time.

    · Share on Twitter
  • REN
    REN Member
    Options

    Thanks a lot @Ray Deck , much appreciated!

    Unfortunately, the cookie is not a solution for me at the moment, but I will keep working in this direction as well, thank you!

    As to storing the AuthToken in Local Storage, as far as I know, the only barrier to stop someone via an XSS attack from getting hold of the Auth-Token is expiration of the token itself (as well as, of course, limiting the actions and data available to the user who authenticated via that token). To your knowledge, is there anything else that can be done to mitigate the risk of someone getting hold of the token and impersonating the user? Or are you telling me that this risk doesn't actually exist at all?

    Does anyone else connecting Bubble&Xano fancy stepping in and adding/sharing their experience?

    · Share on Twitter
  • Ray Deck
    Ray Deck Trusted Xano Expert ✭✭✭
    Options

    The brief expiration window is why I store in the localstorage without too much worry. This risk of leakage and misuse is why access tokens don't last for days. Time is your ally. Cryptographic verification lets you guarantee provenance with a high level of confidence. Between preventing forgery and short timeouts, I feel pretty good about the security level.

    · Share on Twitter

Categories