Where is it recommended to store a JWT on the client to reduce XSS risk?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the TJR Bootcamp Test with quizzes and flashcards. Each question includes hints and explanations to boost your readiness for the exam!

Multiple Choice

Where is it recommended to store a JWT on the client to reduce XSS risk?

Explanation:
When you want to reduce the risk that an XSS vulnerability leaks a token, store the JWT in a location that JavaScript cannot access. Http-only cookies meet this requirement because they aren’t exposed to client-side scripts. The browser will still send the cookie automatically with requests to your server, but malicious injected code can’t read the token from it, which blocks one major attack path. Keep in mind the tradeoffs: cookies introduce CSRF concerns unless you implement protections (such as SameSite attributes and the Secure flag, plus CSRF tokens if needed). LocalStorage and URL query parameters are both readable by any script running on the page, so an XSS attack can easily steal the token from those locations. In-memory storage is also vulnerable because a malicious script running in the page can access the token while the page is loaded, and it’s lost on refresh.

When you want to reduce the risk that an XSS vulnerability leaks a token, store the JWT in a location that JavaScript cannot access. Http-only cookies meet this requirement because they aren’t exposed to client-side scripts. The browser will still send the cookie automatically with requests to your server, but malicious injected code can’t read the token from it, which blocks one major attack path.

Keep in mind the tradeoffs: cookies introduce CSRF concerns unless you implement protections (such as SameSite attributes and the Secure flag, plus CSRF tokens if needed). LocalStorage and URL query parameters are both readable by any script running on the page, so an XSS attack can easily steal the token from those locations. In-memory storage is also vulnerable because a malicious script running in the page can access the token while the page is loaded, and it’s lost on refresh.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy