Hi! Thank you for the article.
Donald Pipowitch
1

Donald, the primary concern is XSS or any other scripting vulnerability. If JavaScript has full access to the JWT, any scripting vulnerability will allow the attacker to steal the full JWT and act on the user’s behalf. By putting the signature portion of the JWT in a place JavaScript cannot access (HTTPOnly cookie), that risk is minimized.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.