JWTs are not the real argument here. Browser storage strategy is. Teams often store access tokens in localStorage because it is easy to wire up from client code. The problem is simple: if XSS lands, the token is usually readable immediately.
HttpOnly cookies change that risk profile. The browser can send the session token automatically, but normal JavaScript cannot read it back.
Why Cookies Are Usually Safer in the Browser
A secure session cookie often looks like this:
Set-Cookie: session=opaque-token; HttpOnly; Secure; SameSite=Lax; Path=/
That does not make the system invulnerable. It does remove one of the easiest token-exfiltration paths in browser apps.
The Trade-Offs You Still Need to Handle
Moving the token into a cookie changes the threat model, not the need for security work:
- CSRF defenses still matter
- session rotation still matters
- XSS is still serious because an attacker can act through the page even if they cannot read the token
The point is not "cookies solve auth." The point is that browser-managed session transport is usually safer than handing bearer tokens to localStorage.
Better Rule
For browser-based applications, default to HttpOnly cookies unless you have a strong reason not to. Reach for token-in-JavaScript designs only when the client architecture truly requires them and the security trade-off is understood.
Further Reading