Just had a security audit of our current system, and they flagged that “Browser local storage (or session storage) is not a secure place to store sensitive information”.
( More reference info here: https://auth0.com/docs/security/store-tokens )
Meteor stores the following auth data in local storage:
Question: does Meteor offer any other auth (storage) mechanisms?
e.g. server-side (using the Authorization Code Flow, Authorization Code Flow with Proof Key for Code Exchange (PKCE), or Hybrid Flow) or client side (e.g. in memory storage).
Yes, we setup Content Security Policy to reduce the attack vector.