Комментарии:
You did not demonstrate an actual attack. All things you show is just "imagine" and an "if" scenario that did not happen at all
ОтветитьThis isn’t great I’m afraid. Security is a bit more involved than this.
JWT is where you should be storing secure information. Only enough o authenticate and look up values on server side.
The JS only needs to know enough to pass in headers and cookies
Also worth mentioning that chrome extensions can inject javascript to the website. So even if your website is not vulnerable to xss attacks, chrome extensions can still take advantage of local storage.
ОтветитьNice video, albeit a bit mistitled.. LocalStorage was not a mistake, it is just that people (myself included) started using it as a wrong tool for resolving the challenges we had at hand
ОтветитьThat is bullshit, literally impossible to get XSS if you do not use dangerous methods. Also, if attacker can execute JS already it is not a big deal that he can steal the token, he already can programmatically do any action with user's account. He does not need the token do actually do that, he can just directly use fetch from the user's browser.
Also, there are many preventive methods that must be involved like CSP that avoid any leaks to attacker's C2.
Nice video, but i have a question. When using a express backend that is sending the JWT access and refresh token, and we store them inside next-auth jwt token, when we load a page with getSession and serving to user the session with the two tokens, we are getting the same problem as the video presented right? Because The main question is if we access the nextauth jwt, and send the accesstoken stored in header, we are serving this token in js right?
ОтветитьGoogle stopped using Cookie. So you should stop using cookie as well lol
ОтветитьThis is like worrying about a thief peeking at your p*n collection when he enters your home SOMEHOW.
I didn't watch the whole video because the fist part throw me off.
The server could alternately use CSP to prevent access to injection using nonces.
ОтветитьWhere should I put them? Inside a div of course. If only I know how to center them.
ОтветитьAlways use secret local storage, like react-secure-storage and you are good to go 🎉 🎉
Ответитьwow Josh you deleted my comment because i said i am leaving react world? what's wrong with what i wrote?
ОтветитьCan you please make a tutorial using Authjs V5, cookie approach, and server actions. Please!!! 😊
ОтветитьJosh next time chooses any advance topic
ОтветитьNow make video on how we can store data in cookies.....
ОтветитьLocal storage was not a mistake. It has its uses. Even cookies are not secure if you don't have the correct configuration. People should stop using local storage for what it is not meant for lol.
Ответитьif someone can find a way to execute javascript on your app, then you are already screwed, doesn't matter if you token is in cookies or local storage
ОтветитьCan’t we just encrypt data and secret word will be saved in environment value? This way even if the manage get data it is useless or am I wrong?
ОтветитьSo we have to use AES encryption layer
Ответитьthis is... misinformation
ОтветитьMr Josh is a Legend instructor...
Ответитьwhere do you think the user gets his cookies from.
if the xss attacker instead of taking the cookies from the browser,
he will just ask for more cookies from the server in behalf of the user.
... there you go.
once your website is xss attackable.. you are doomed
Now he banned local storage. The channel should be renamed as "Josh is still figuring out Coding"
Ответитьi like it.. u dont put any secure data stuff on it anyway xD lol.. this is just blubering nonsense. who thinks that way anyway xD omg
ОтветитьServer side Javascript was a mistake
Ответитьleaves the door open:
- look how houses are insecure
for viewers: it's ok to use LS :)
ОтветитьI beg everyone to just think. During XSS the attacker becomes YOU!! It don’t matter if they have your tokens or not, if you’re logged in they ARE YOU. You’re rekt regardless of how secure that auth token is placed.
Invalidating all sessions immediately and fixing the XSS vulnerability is the only solution.
The solution to XSS is to sanitize your inputs and outputs, not to never use localStorage. If you're using a popular framework it's probably already sanitizing your outputs for you even. I feel like this video is mixing up a bunch of topics that don't necessarily need to be.. it comes across as a bit unfocused to me
ОтветитьYou are using localstorage in the wrong way. Save theme data there, what page the user is on, on a table. Localstorage was not a mistake what makes you think you are smarter than a whole corporation. They thought about long and hard.
Ответитьjosh u got me back into coding i use ur stuff day to day and i love how you structure your projects! thank you for all that you do
ОтветитьThis is such incomplete and utterly garbage advice
ОтветитьUmmm i would love to inform you that cookies aren't safe anymore
Ответитьmy god dude, learn how the web works. cookies do nothing for you if an attacker is in, he can make requests that pass along the cookie
ОтветитьBro i think LS just works on a single domain and seperate for every user so there is really no way for hackers to access someone elses LS and using a cookie as an alternative wont change anything, hackers only have access to their data.
ОтветитьJesus Fucking Christ, now I understand why react is popular.
ОтветитьI hung my front door key from teh screen door, now someone has taken all my stuff. Don't use doors.
Ответитьinam disappointed by this video because I was really enjoying the content until now
ОтветитьSo what are the alternatives to local storage?
Ответить