token-storage
Safeguard articles tagged "token-storage" — guides, analysis, and best practices for software supply chain and application security.
4 articles
Where should your SPA store auth tokens?
OWASP has warned against localStorage tokens for years, yet it remains the default in countless SPA tutorials — one XSS bug is all it takes to exfiltrate every session.
A methodology for testing SPAs for client-side vulnerabilities
DOM XSS, token storage, and API exposure don't show up in a server-side scan — here's a repeatable methodology for testing React, Vue, and Angular apps.
Secure JWT handling: algorithm confusion, expiry, and storage done right
A single unchecked `alg` header turned jsonwebtoken into a forgeable token in CVE-2015-9235 — here's how to close every hole RFC 8725 warns about.
Single-Page Application Security: Tokens, XSS, and the Public Bundle
In an SPA, one XSS is game over and your entire bundle is public. Here's how token storage, CSP, OAuth PKCE, and CORS decide whether your SPA holds.