reactjs - Django rest auth store token securely

Question

I'm trying to implement authentication with django-rest-auth library in the backend and I'm using react for the front-end. Django-rest-auth returns a token after authentication and I was guessing how to handle it.

• From a security perspective can that token be saved in an HTTPOnly cookie or it should be kept only in memory?

• Exists a tested approach to achieve local persistence with django-rest-auth and react without implementing vulnerabilities in the website?

question from:https://stackoverflow.com/questions/65945414/django-rest-auth-store-token-securely

Answer 1

Every method of storing token on the client-side has some weakness:

• storing the token in HTTPOnly cookie makes the application vulnerable to CSRF attack
• storing the token in localStorage makes the application vulnerable to XSS attack

I'm personally using the localStorage to store token because it is convenient. React has built-in XSS prevention and you can additionally switch on CSP (Content Security Protection). I write the article about my approach: https://saasitive.com/tutorial/react-token-based-authentication-django/ - the httpOnly vs localStorage discussion is at the end of the post. There is also full tutorial how to start SaaS app with Django and React (link).