JWT in localStorage

[sedubois]

Issue #7 mentions that JWTs are stored in localStorage, but according to this article, this is subject to XSS attacks so instead they should be stored in cookies.

please, please, whatever you do, do not store session information (like JSON Web Tokens) in local storage. This is a very bad idea and will open you up to an extremely wide array of attacks that could absolutely cripple your users.

Do you agree with this? What should be done? I also think it's important to educate everyone to secure practices. Thanks for building Strapi and keep it up!

• [x] I'm sure that this issue hasn't already been referenced