- Straight to the point instructions regarding localStorage and Cookies as storage method for
Option 1: Store your access token in localStorage : prone to XSS.
Option 2: Store your access token in httpOnly cookie: prone to CSRF but can be mitigated, a bit better in terms of exposure to XSS.
Option 3: Store the refresh token in httpOnly cookie: safe from CSRF, a bit better in terms of exposure to XSS. We’ll go over how Option 3 works as it is the best out of the 3 options.