I have a SPA Angular 5 application with an ASP.NET Core Web API as pure Web API at the backend (they could be hosted at different server/domain). After searching and reading on-line, I know we could either store the token in localstorage or in httponly cookies, but both of these methods have its own vulnerabilities (localstorage susceptible to XSS, cookie would be vulnerable to CSRF).
So I like to know:
- What's the established method or practice people actually use in production site nowadays that guards reasonable grounds for both XSS and CSRF attack when it comes to securing Web API? For example, I looked into portal.azure.com. They seem to put bearer token in request header, but i couldn't see where they are storing the token.
- What's the common practice/way for a SPA and Web API to get antiforgery token? I can't find much info on this.
Thanks.