I have APIs created using Laravel and for token authentication I am using Laravel Sanctum.
The same APIs are used by mobile applications and SPA(ReactJs).
My problem is storing token in ReactJS application. If I use it in local storage then there are chances of security.
What is the best option to store the token in ReactJs application while using Laravel Sanctum.?
Important point is that ReactJS application and APIs Backend server are on different server.
Laravel Santcum has two types of API authentication:
- SPA Authentication
- Mobile Application Authentication
Using SPA authentication is recommended in your use case for React. It has some security benefits like CSRF protection, session authentication and protecting your website against XSS attacks. When you set a session manually it can be read by third-party JS plugins but if you use SPA, it set cookies with HttpOnly flag that can't be read by third-party scripts.
For more info read here:
Use the HttpOnly attribute to prevent access to cookie values via JavaScript.