SShortSingh.
Back to feed

How to Securely Store and Manage Refresh Tokens in Frontend Web Apps

0
·2 views

Modern single-page applications using JWT-based authentication rely on two tokens: a short-lived Access Token for authorizing requests and a longer-lived Refresh Token for renewing access without forcing repeated logins. Storing Refresh Tokens in localStorage is considered unsafe because JavaScript can read it, making the token vulnerable to theft via cross-site scripting attacks. The recommended approach is to keep Access Tokens in memory and let the server store Refresh Tokens in HttpOnly, Secure, SameSite cookies, which are inaccessible to JavaScript. When an Access Token expires and the server returns a 401 error, the frontend silently calls a refresh endpoint, and the cookie is sent automatically to obtain a new token pair. This architecture balances security and user experience by limiting token exposure while keeping users logged in across sessions.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

LoRA AI Lets Developers Train Custom Image Models Without a Local GPU

A browser-based platform called LoRA AI has been developed to let creators train custom LoRA models for AI image and video generation without needing a local GPU setup. LoRA, or Low-Rank Adaptation, trains a small set of additional parameters to guide a base diffusion model toward a consistent subject, style, or character. The tool is aimed at developers and creators who need repeatable visual outputs — such as a brand mascot, product, or fictional character — across multiple generated images. Users can prepare a dataset, train a LoRA, and then reuse it directly within the platform for image editing and short video creation. The workflow removes the need to configure Python environments, CUDA, or compatible PyTorch versions typically required for local model training.

0
ProgrammingDEV Community ·

Egregor Platform Uses Multi-AI Consilium to Audit Smart Contracts and Code

Developer Vladislav Shter has built Egregor, a local multi-AI system designed to perform comprehensive audits of smart contracts and software code. The platform runs multiple AI models in a consilium structure to reduce echo chambers and algorithmic blind spots that can occur with single-model analysis. Egregor is positioned as part of Shter's broader Sovereign Ecosystem project. The tool supports data privacy and is capable of analyzing large code archives locally, without sending data to external servers. Source code and demos have been published on GitHub and GitVerse, with additional details available on the Sovereign Ecosystem website.

0
ProgrammingDEV Community ·

Developer Rebuilds Entire Billing Stack After Stripe Bans PDF Forensics Tool

A Finnish developer behind htpbe.tech, a PDF-editing detection tool, had their Stripe account terminated after the platform's automated system apparently flagged the business as high-risk due to keywords like 'fake document detection.' Stripe's appeal process returned a rejection in eight seconds, with no meaningful human review despite the developer submitting tax records, company registration, and other legal documentation. Following the ban, Stripe refunded the last five days of customer payments, leaving the developer to resolve those transactions independently. The developer migrated to EU-based payment processor Mollie, finding that one-off payments were straightforward but rebuilding subscription billing — including mandates, proration, VAT, invoicing, and dunning — took roughly two weeks of manual development. The experience highlighted that Stripe functions as a full billing platform rather than a simple payment processor, meaning a forced migration involves far more than switching a payments API.

0
ProgrammingDEV Community ·

Tenant Screening Platforms Face Fraud Risk Gap Despite Multi-Signal Verification

Tenant screening SaaS platforms that rely on OCR, credit pulls, and Plaid income verification still face a structural vulnerability: applicants committing bank statement fraud routinely decline Plaid opt-in and submit manipulated PDFs instead. Startup Snappt raised over $100 million addressing this gap, signaling the market recognizes document fraud detection as a real and largely unsolved problem. Platforms typically charge $35–$75 per applicant screening, but a single missed fraud case can erase the gross margin from hundreds of clean screens and expose the platform to direct liability claims, client churn, and fair-housing scrutiny. Landlords who suffer financial losses from fraudulent applicants cleared by a screening platform often pursue legal recourse against that platform, sometimes resulting in settlements exceeding contractual liability caps. Adding structural PDF forensics as an additional signal layer is described as one of the lowest-cost interventions available per applicant to close this detection gap.