Now that we have decided to use JWTs, we need to figure out where to store them. The two most common approaches are cookies or local storage. For a good comparison of the two for storing JWTs see this blog post. In short, local storage is susceptible to xss and cookies are susceptible to csrf. Since csrf protection is standard in most backend and xss is a bit tricker, I opted to store my JWT in a cookie with the HttpOnly, and Secure flags