Hello, I just started using supabase for authentication and noticed that it stores the jwt in localStorage. I tested firebase and it is also configured to store the jwt there if you follow the docs for Authentication State Persistence... However, I read that it would be more secure to store the jwt as a http-only cookie since localStorage is not supposed to be used for sensitive stuff (https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#local-storage). Are there really security risks to the supabase/firebase approach?

Hello @stefan199! This thread has been automatically created from your message in #843999948717555735 a ``few seconds ago``. Pinging @User so that they see this as well! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ... menu) and select Leave Thread to unsubscribe from future updates. Want to change the title? Use the

/title

command! We have solved your problem? Click the button below to archive it.

https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/ This is a good read on jwt use and how it is secured. Of course it is from the jwt camp, and the web is full of different opinions on level of security for storing the jwt.

stefan199 (2022-03-28)

thanks for the link, I'll check it out.