Комментарии:
You did not demonstrate an actual attack. All things you show is just "imagine" and an "if" scenario that did not happen at all
Ответить
This isn’t great I’m afraid. Security is a bit more involved than this.
JWT is where you should be storing secure information. Only enough o authenticate and look up values on server side.
The JS only needs to know enough to pass in headers and cookies
Also worth mentioning that chrome extensions can inject javascript to the website. So even if your website is not vulnerable to xss attacks, chrome extensions can still take advantage of local storage.
Ответить
Nice video, albeit a bit mistitled.. LocalStorage was not a mistake, it is just that people (myself included) started using it as a wrong tool for resolving the challenges we had at hand
Ответить
That is bullshit, literally impossible to get XSS if you do not use dangerous methods. Also, if attacker can execute JS already it is not a big deal that he can steal the token, he already can programmatically do any action with user's account. He does not need the token do actually do that, he can just directly use fetch from the user's browser.
Also, there are many preventive methods that must be involved like CSP that avoid any leaks to attacker's C2.
Nice video, but i have a question. When using a express backend that is sending the JWT access and refresh token, and we store them inside next-auth jwt token, when we load a page with getSession and serving to user the session with the two tokens, we are getting the same problem as the video presented right? Because The main question is if we access the nextauth jwt, and send the accesstoken stored in header, we are serving this token in js right?
Ответить
Google stopped using Cookie. So you should stop using cookie as well lol
Ответить
This is like worrying about a thief peeking at your p*n collection when he enters your home SOMEHOW.
I didn't watch the whole video because the fist part throw me off.
The server could alternately use CSP to prevent access to injection using nonces.
Ответить
Where should I put them? Inside a div of course. If only I know how to center them.
Ответить
Always use secret local storage, like react-secure-storage and you are good to go 🎉 🎉
Ответить
wow Josh you deleted my comment because i said i am leaving react world? what's wrong with what i wrote?
Ответить
Can you please make a tutorial using Authjs V5, cookie approach, and server actions. Please!!! 😊
Ответить
Josh next time chooses any advance topic
Ответить
Now make video on how we can store data in cookies.....
Ответить
Local storage was not a mistake. It has its uses. Even cookies are not secure if you don't have the correct configuration. People should stop using local storage for what it is not meant for lol.
Ответить
if someone can find a way to execute javascript on your app, then you are already screwed, doesn't matter if you token is in cookies or local storage
Ответить
Can’t we just encrypt data and secret word will be saved in environment value? This way even if the manage get data it is useless or am I wrong?
Ответить
So we have to use AES encryption layer
Ответить
this is... misinformation
Ответить
Mr Josh is a Legend instructor...
Ответить
where do you think the user gets his cookies from.
if the xss attacker instead of taking the cookies from the browser,
he will just ask for more cookies from the server in behalf of the user.
... there you go.
once your website is xss attackable.. you are doomed
Now he banned local storage. The channel should be renamed as "Josh is still figuring out Coding"
Ответить
i like it.. u dont put any secure data stuff on it anyway xD lol.. this is just blubering nonsense. who thinks that way anyway xD omg
Ответить
Server side Javascript was a mistake
Ответить
leaves the door open:
- look how houses are insecure
for viewers: it's ok to use LS :)
Ответить
I beg everyone to just think. During XSS the attacker becomes YOU!! It don’t matter if they have your tokens or not, if you’re logged in they ARE YOU. You’re rekt regardless of how secure that auth token is placed.
Invalidating all sessions immediately and fixing the XSS vulnerability is the only solution.
The solution to XSS is to sanitize your inputs and outputs, not to never use localStorage. If you're using a popular framework it's probably already sanitizing your outputs for you even. I feel like this video is mixing up a bunch of topics that don't necessarily need to be.. it comes across as a bit unfocused to me
Ответить
You are using localstorage in the wrong way. Save theme data there, what page the user is on, on a table. Localstorage was not a mistake what makes you think you are smarter than a whole corporation. They thought about long and hard.
Ответить
josh u got me back into coding i use ur stuff day to day and i love how you structure your projects! thank you for all that you do
Ответить
This is such incomplete and utterly garbage advice
Ответить
Ummm i would love to inform you that cookies aren't safe anymore
Ответить
my god dude, learn how the web works. cookies do nothing for you if an attacker is in, he can make requests that pass along the cookie
Ответить
Bro i think LS just works on a single domain and seperate for every user so there is really no way for hackers to access someone elses LS and using a cookie as an alternative wont change anything, hackers only have access to their data.
Ответить
Jesus Fucking Christ, now I understand why react is popular.
Ответить
I hung my front door key from teh screen door, now someone has taken all my stuff. Don't use doors.
Ответить
inam disappointed by this video because I was really enjoying the content until now
Ответить
So what are the alternatives to local storage?
Ответить
