Peter Locke
Jul 26, 2017 · 1 min read

Donald, the primary concern is XSS or any other scripting vulnerability. If JavaScript has full access to the JWT, any scripting vulnerability will allow the attacker to steal the full JWT and act on the user’s behalf. By putting the signature portion of the JWT in a place JavaScript cannot access (HTTPOnly cookie), that risk is minimized.

Peter Locke

Written by

Cofounder and CTO @giftbit / @lightrailhq — Builder of business focussed engineering teams and technology strategies.