Core Code
Core Code Modern Dev Handbook
REACT Contents
React Fundamentals
React Architecture Overview JSX and Rendering Model Component Design Principles Props and Data Flow State Management with useState Side Effects with useEffect Event Handling Patterns Conditional Rendering Strategies Lists, Keys, and Reconciliation Forms and Controlled Components Component Composition Lifting State and Shared State Basic Routing with React Router Failure Modes in Beginner React Apps
React + TypeScript
Typing Functional Components Typing Props and Children useState and Type Inference useReducer with Type Safety Typing Event Handlers Generic Components Utility Types in React Discriminated Unions for UI State Strict Mode and Null Safety API Response Typing Strategies Form Typing Patterns Avoiding any and Unsafe Casts Type-Safe Context API Failure Modes in React + TypeScript
React Advanced Patterns
Custom Hooks Architecture Context vs Prop Drilling Tradeoffs Compound Components Pattern Controlled vs Uncontrolled Abstractions Render Props and Pattern Alternatives State Machines in React Performance Optimization Playbook Memoization Strategies Code Splitting and Lazy Loading Error Boundaries and Recovery Portal Architecture Large Scale Folder Structure Testing Strategy: Unit and Integration Common React Anti Patterns
React Production
CSR vs SSR vs SSG Hydration and Mismatch Failures Next.js Architecture Overview App Router Deep Dive Authentication Patterns Token Storage Security Role Based UI Control API Integration Patterns Rate Limiting and UI Resilience Frontend Security Checklist XSS in Modern React Observability in Frontend Bundle Optimization Production Incident Playbook
Distributed Systems
Distributed System Fundamentals CAP Theorem in Practice Consistency Models Replication Strategies Leader Election Concepts Consensus Algorithms Overview Event Driven Architectures Message Queues and Delivery Guarantees Idempotency Patterns Saga Pattern Circuit Breakers Backpressure and Flow Control Observability in Distributed Systems Failure Scenarios and Postmortems

Token Storage Security

Token storage choices define your risk profile. Learn secure cookie sessions, localStorage risks, XSS and CSRF tradeoffs, and operational controls like rotation, revocation, and anomaly detection.
On this page

Threat Model First

  • Token theft is usually an XSS problem.
  • Session fixation and CSRF are common when cookies are used without defenses.
  • Production rule: choose the simplest session model that meets requirements.

Storage Options

  • HttpOnly cookie: not readable by JS, reduces XSS token exfiltration risk.
  • Memory: token in memory, cleared on refresh, requires refresh strategy.
  • localStorage: easy, but exposed to XSS and persistence increases risk.

Recommended Default: Cookie Based Session

  • Use HttpOnly, Secure, SameSite cookies.
  • Use CSRF defenses for state changing requests.
  • Rotate and revoke sessions server side.

CSRF and Cookies

  • SameSite reduces CSRF but is not always sufficient for all flows.
  • Use CSRF tokens or double submit cookie patterns when needed.
  • Verify Origin and Referer for sensitive endpoints where possible.

XSS and localStorage

  • If an attacker runs JS, localStorage tokens are easy to steal.
  • HttpOnly cookies reduce token theft but do not remove XSS impact.
  • Primary control for XSS is strong input handling and CSP.

Operational Controls

  • Short lived access tokens and rotating refresh tokens.
  • Server side revocation and session invalidation.
  • Device binding signals and anomaly detection for suspicious sessions.
  • Audit logging for login, refresh, and logout events.

Failure Modes

  • localStorage token theft from an XSS bug.
  • CSRF on cookie sessions without proper defenses.
  • Refresh token reuse not detected, enabling session takeover.
  • Cache leaks exposing authenticated responses.

Production Checklist

  • Prefer HttpOnly Secure SameSite cookies for sessions.
  • Deploy CSP and input validation to reduce XSS risk.
  • CSRF protections exist for state changing endpoints.
  • Rotation and revocation are implemented and monitored.
Role Based UI Control →