Here is a complete article about Tokens / Cookies that can give you a lot of knowledge about this subject : auth0 : Cookies VS Tokens

这是一篇关于 Tokens / Cookies 的完整文章，可以为您提供有关此主题的很多知识：auth0：Cookies VS Tokens

I'll quote the most important parts to make you understand what's coming next :

我将引用最重要的部分，让您了解接下来会发生什么：

Two of the most common attack vectors facing websites are Cross Site Scripting (XSS) and Cross Site Request Forgery (XSRF or CSRF).

Cross Site Scripting) attacks occur when an outside entity is able to execute code within your website or app.

Cross Site Request Forgery attacks are not an issue if you are using JWT with local storage. On the other hand, if your use case requires you to store the JWT in a cookie, you will need to protect against XSRF.

Our CTO has argued in the past that XSS attacks are much easier to deal with compared to XSRF attacks because they are generally better understood.

网站面临的两种最常见的攻击媒介是跨站脚本 (XSS) 和跨站请求伪造（XSRF 或 CSRF）。

当外部实体能够在您的网站或应用程序中执行代码时，就会发生跨站点脚本）攻击。

如果您将 JWT 与本地存储一起使用，则跨站点请求伪造攻击不是问题。另一方面，如果您的用例要求您将 JWT 存储在 cookie 中，您将需要防止 XSRF。

我们的 CTO 过去曾辩称，与 XSRF 攻击相比，XSS 攻击更容易处理，因为它们通常更容易理解。

So basically to sum up :

所以基本上总结一下：

• XSSattacks are an issue with Tokensand LocalStorage. But it's not because Angular sanitizes everything, preventing efficiently XSSattacks. (https://angular.io/guide/security#angulars-cross-site-scripting-security-model)
• XSRFattacks are an issue with Cookies, and you would have to set up your own security framework to deal with them.

• XSS攻击是Tokens和LocalStorage的问题。但这并不是因为 Angular 会清理一切，有效地防止XSS攻击。（https://angular.io/guide/security#angulars-cross-site-scripting-security-model）
• XSRF攻击是Cookies 的一个问题，您必须建立自己的安全框架来处理它们。

Hence, I'd recommend a standard JWT Token approach to manage your token. Since your token is signed with the JWTformat, this is the safest solution in my opinion. Of course, a standard token would need to be either encryptedor signed(not the same) to be really secure.

因此，我建议使用标准的 JWT 令牌方法来管理您的令牌。由于您的令牌使用JWT格式签名，因此在我看来这是最安全的解决方案。当然，标准令牌需要加密或签名（不一样）才能真正安全。

Really easy to set up and manages with appropriate libraries (such as https://github.com/auth0/angular2-jwt)

使用适当的库（例如https://github.com/auth0/angular2-jwt）非常容易设置和管理

To go further :I imagine your token would be used for authentication, and be aware that people have already worked with that and know what is good / bad practice using them.

更进一步：我想您的令牌将用于身份验证，并注意人们已经使用过它并知道使用它们的好/坏做法。

You should take a look at how authentications are managed from working websites (such as Twitter / Facebook, etc...) where they use Refresh Tokens. Here are some additionnal links that could interest you :

您应该看看如何从使用Refresh Tokens 的工作网站（例如 Twitter / Facebook 等）管理身份验证。以下是您可能感兴趣的一些附加链接：

• https://auth0.com/learn/refresh-tokens/
• https://auth0.com/docs/tokens/refresh-token/current

• https://auth0.com/learn/refresh-tokens/
• https://auth0.com/docs/tokens/refresh-token/current

EDIT :Additionnal links about best practices with JWT :

编辑：关于 JWT 最佳实践的附加链接：

• https://dev.to/neilmadden/7-best-practices-for-json-web-tokens(Part 6 and 7)

• https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec

• https://dev.to/neilmadden/7-best-practices-for-json-web-tokens（第 6 部分和第 7 部分）

• https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec

Its more about how you are going to validate it than how you are storing token, what security majors you have taken to validate the same on the server side.

它更多地是关于你将如何验证它而不是你如何存储令牌，你已经采取了哪些安全专业来在服务器端验证相同。

You need to make sure that request is coming from valid client and not from malicious source, if you have CORS enabled API.

如果您有启用 CORS 的 API，您需要确保请求来自有效客户端而不是来自恶意来源。

If you are using Token to store confedential info, you need to encrypt it before storing.

如果您使用 Token 存储机密信息，则需要在存储前对其进行加密。

Hope this helps!!

希望这可以帮助！！