I have built a basic REST API that uses Json Web Tokens for authentication. Currently, I have built my frontend to store the JWTs in localStorage
. I have read this is insecure and want to switch to cookies. The login route on my API returns the JWT token pair back to the client (and the refresh token route returns the new access token).
As far as I understand, a attacker could do an XmlHttpRequest on the refresh token route while the user is logged in, and then access the new access token from the response. Is this true, is it a security issue, or can I keep returning the tokens (and also send the tokens in cookies)?