I'm trying to implement authentication with django-rest-auth library in the backend and I'm using react for the front-end. Django-rest-auth returns a token after authentication and I was guessing how to handle it.
From a security perspective can that token be saved in an HTTPOnly cookie or it should be kept only in memory?
Exists a tested approach to achieve local persistence with django-rest-auth and react without implementing vulnerabilities in the website?
Every method of storing token on the client-side has some weakness:
I'm personally using the localStorage to store token because it is convenient. React has built-in XSS prevention and you can additionally switch on CSP (Content Security Protection). I write the article about my approach: https://saasitive.com/tutorial/react-token-based-authentication-django/ - the httpOnly vs localStorage discussion is at the end of the post. There is also full tutorial how to start SaaS app with Django and React (link).