Aren’t cookies also vulnerable to XSS attacks?

… JWT, which should contain an encoded user identifier in JSON format signed by our back-end server. We put the JWT into our cookie so that we don’t have to store it in local-storage and risk XSS attacks. This is what an authentication process for a user named TheLegend27 might look like using JWTs:

Sessionless Authentication using JWTs (with Node + Express + Passport JS)

5.3K

Bryan Manuele (Fermi Dirak)