- Published on
The answer to "where do you store the token" decides whether XSS risk is eliminated or merely relocated. Unpacking why the frontend holds no JWT, why CSRF becomes an unavoidable cost, how permission unions are computed, and why cache invalidation is harder than caching.