Auth tokens are cached in sessionStorage (XSS-readable), but the TokenService JSDoc claims httpOnly-cookie storage / 'no client-side token storage' — the doc describes the ideal, the code does the opposite.
Evidence (origin/main): src/core/services/TokenService.ts:8-33 JSDoc claims httpOnly; SecureStorageService.ts uses sessionStorage; TokenService caches tokens (~lines 110-123).
Fix (pick one, reversibility-sensitive): migrate to backend-set httpOnly cookies (larger), OR at minimum delete/correct the misleading JSDoc so it matches reality. Mitigations today: 15-min access TTL + CSP.
Source: MASTER_ISSUE_REGISTER_2026-06-03 (WEB-1) + SECURITY_FINDINGS_2026-06-01 §2, re-verified on origin/main 2026-06-13.
Auth tokens are cached in
sessionStorage(XSS-readable), but theTokenServiceJSDoc claims httpOnly-cookie storage / 'no client-side token storage' — the doc describes the ideal, the code does the opposite.Evidence (origin/main):
src/core/services/TokenService.ts:8-33JSDoc claims httpOnly;SecureStorageService.tsusessessionStorage; TokenService caches tokens (~lines 110-123).Fix (pick one, reversibility-sensitive): migrate to backend-set httpOnly cookies (larger), OR at minimum delete/correct the misleading JSDoc so it matches reality. Mitigations today: 15-min access TTL + CSP.
Source: MASTER_ISSUE_REGISTER_2026-06-03 (WEB-1) + SECURITY_FINDINGS_2026-06-01 §2, re-verified on origin/main 2026-06-13.