Option 1: Store your access token in localStorage : prone to XSS.

Option 2: Store your access token in httpOnly cookie: prone to CSRF but can be mitigated, a bit better in terms of exposure to XSS.

Option 3: Store the refresh token in httpOnly cookie: safe from CSRF, a bit better in terms of exposure to XSS. We’ll go over how Option 3 works as it is the best out of the 3 options.