I have one general doubt!
Storing the JWT token in local storage is unsafe due to XSS vulnerabilities, right? but Convex stores them in local storage?
10 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
XSS is only a issue when you receive something from the user and render it on the page.
That way a user can inject JS code on the page, and get your cookie and send it to another server, and then log in using your identity.
so is it safe to store tokens in local storage?
Yes.
thank you!!
I found some information to you @Sanjay R while reading the documentation 😄
...to allow immediate authentication across page loads, both are stored in localStorage by default, but you can choose a different storage mechanism via the storage prop.
react - Convex Auth
Authentication library for your Convex backend
if you want to change the storage, you can do it yourself.
Storing jwt's in localstorage is very common practice
Linking to https://labs.convex.dev/auth/security + echoing erquhart's statement that this is a fairly common practice
Keep your authentication secure - Convex Auth
Authentication library for your Convex backend