|
|
|
|
|
|
by jesstaa
1587 days ago
|
|
|
If you have any unauthenticated routes that you don't want arbitrary websites calling. > using JWT in a typical SPA <-> API scenario.
Is this typical? It's a pretty horrible setup.
Cookies have a lot of great features that 'store a JWT in LocalStorage' just doesn't have. |
|
|
I'm still interested in the original question: if you use localstorage for auth tokens and you have proper CSRF protection, what does allowing all CORS actually make you vulnerable to?