Back to list

Insecure token storage in client applications

8/10 High

Applications store OAuth tokens in `localStorage`, `sessionStorage`, or insecure cookies, exposing them to XSS attacks and other client-side script injection threats.

OAuth 2.0
Category
security
Workaround
solid
Stage
build
Freshness
persistent
Scope
framework
Recurring
Yes
Buyer Type
team

Sources

Collection History

Query: “What are the most common pain points with OAuth 2.0 for developers in 2025?3/31/2026

In browser-based applications, placing tokens in `localStorage` or `sessionStorage` exposes them to any script running on the page, including malicious scripts injected through Cross-Site Scripting (XSS) attacks.

Created: 3/31/2026Updated: 3/31/2026