I’m currently working on a social network app for my Backend, I’m using Django and for the Frontend React-TS. After doing a bit of research, I’ve decided to use a JWT Token (Generated with help of rest_framework_simplejwt), and use it in requests as a BearerToken.

Currently, I’m saving the AccessToken and the RefreshToken in the local storage, but having read a bit about how storing tokens in local storage can pose security risks, such as exposure to Cross-Site Scripting (XSS) attacks, I grew a bit worried.

I thought I’d ask here since I came across too many suggestions online (HTTP-Only Cookies, Database Storage with Encryption and Password-Based Encryption). Since I lack the experience to decide which to use when, I would appreciate any and every advice.

How do you store your Tokens and why?