// Where you store your JWT/access token determines your app's attack surface. Let's explore each option.
localStorage.getItem('token')/refresh endpoint to silently get a new access token| Storage | XSS Safe? | CSRF Safe? | Persists? | Use For |
|---|---|---|---|---|
| localStorage | ✗ No | ✓ Yes | ✓ Yes | Never auth tokens |
| sessionStorage | ✗ No | ✓ Yes | ✗ No | Temporary UI state only |
| Memory (JS var) | ✓ Yes | ✓ Yes | ✗ No | Access tokens (short-lived) |
| HttpOnly Cookie | ✓ Yes | ~ With SameSite | ✓ Yes | Refresh tokens (recommended) |