Securing a Web App Using JWT and Vanilla Javascript

Based on my search on authenticating users using JWT, I’ve found that JWTs can be vulnerable to XSS attacks. I’ve read that one of the ways to prevent XSS attacks on JWT is to create two JWTs,
one for Refreshed token and another for Access token. These are generated on first login by the users and they are generated on the server and stored in HttpOnly cookies on the server.

Being cookies their expiration dates can be set. After their generation and storage, they are sent to the front-end to be stored in memory. In other words they are stored in variables on the front-end. Then these tokens are sent with each request to the server. If their expiration dates have been reached a new JWT is created, stored in HttpOnly cookies, and sent to the front-end to be stored in memory.

The questions I have are, if I’m using the DotNet framework for the back-end and vanilla Javascript on the front-end, how do I safely get the JWTs values from the HttpOnly cookies and store them on the front-end if Javascript cannot be used to access Http-Only cookies and can this truly prevent XSS attacks on JWTs.

Have a read…

This might answer your questions.