SPA + web api with jwt token/cookies

Question

I have a SPA Angular 5 application with an ASP.NET Core Web API as pure Web API at the backend (they could be hosted at different server/domain). After searching and reading on-line, I know we could either store the token in localstorage or in httponly cookies, but both of these methods have its own vulnerabilities (localstorage susceptible to XSS, cookie would be vulnerable to CSRF).

So I like to know:

1. What's the established method or practice people actually use in production site nowadays that guards reasonable grounds for both XSS and CSRF attack when it comes to securing Web API? For example, I looked into portal.azure.com. They seem to put bearer token in request header, but i couldn't see where they are storing the token.
2. What's the common practice/way for a SPA and Web API to get antiforgery token? I can't find much info on this.

Thanks.

Answer 1

JWTs are like UserID and Password you shouldn't use localStorage for sensitive data is not meant for that. Read for example this good article and this youtube vidio:

https://dev.to/rdegges/please-stop-using-local-storage-1i04 and https://medium.com/spektrakel-blog/local-storage-is-not-a-secure-place-9542cbfa904a XSRF/CSRF can be avoided with various technique, read OWASP

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

a common way to do so is (Double Submit Cookie), is to use a xsfr-token added in the http/s header of each req, this because an attacker cannot modify the the http header of a req.

basically you have to send two cookies:

1) HttpOnly Cookie with JWT 1) no-HttpOnly Cookie with xsrf-token

then create an Interceptor thar read the xsrf-token form the cookie and add an header x-xsrf-token. Server side check if the xsrf-token in JWT is equal to the token in x-xsrf-token (use an unguessable alogrithm for the xsrf-token)

hope it helps