LocalStorage vs Cookie

Pros and Cons of LocalStorage vs. Cookie

https://stackoverflow.com/questions/35291573/csrf-protection-with-json-web-tokens

  • LocalStorage

    • strong for CSRF
    • but week for XSS
  • Cookie

    • strong for XSS (httponly mode)
    • but week for CSRF (but there is easy solution such as form hidden value)

Should I use CSRF protection on Rest API endpoints?

https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints

No cookie No CSRF

Protection of localstorage

トークンはAuthorizationヘッダをおすすめしている
ただし、認証が必要な画像のリクエストにはCookieを使用する必要がある

https://softwareengineering.stackexchange.com/questions/314412/can-i-prevent-csrf-attacks-by-using-localstorage-sessionstorage