Jul 26, 2017 · 1 min read
Donald, the primary concern is XSS or any other scripting vulnerability. If JavaScript has full access to the JWT, any scripting vulnerability will allow the attacker to steal the full JWT and act on the user’s behalf. By putting the signature portion of the JWT in a place JavaScript cannot access (HTTPOnly cookie), that risk is minimized.
