Blog

JWT Bearer in memory versus HttpOnly cookies: CORS and XSS trade-offs

Bearer tokens in memory reduce persistence across refresh but widen XSS impact windows while scripts can read storage.

Published: 2025-11-08Updated: 2025-11-101 min read

jwtspasecurity

CORS interaction

Cookie-based sessions often require Allow-Credentials and explicit origins—test all integrated frontends.

Bearer in Authorization header still triggers preflight when custom headers are present.

Shorten access token TTL and rotate refresh tokens on reuse detection.

Use separate audiences for browser versus machine clients to reduce token scope.