|
|
|
|
|
|
by jkrejcha
5 days ago
|
|
|
> First time I'm hearing that frameworks require disabling HttpOnly. They effectively do in the case where you're using local storage because they need to grab the session token from somewhere. The thing about HttpOnly is that JS code never even gets to see the session token. Which is a mitigation for a whole class of vulnerabilities. > ...CSRF You have to mitigate CSRF server-side (with a CSRF token, checking the Sec-Fetch-* headers) or by using SameSite on the client side (ideally both) There's a reason "don't use local storage for security sensitive stuff" is part of the OWASP cheatsheet[1] [1]: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Securit... |
|
|
Local storage was released more than 16 years ago, and back then PHP was wayy too popular. XSS is almost impossible to execute these days (unless you do selfxss).
Discord has mitigations for grabbing the token from local storage: https://news.ycombinator.com/item?id=48563286