angular - SPA, Web API Bearer Token security issues -

bearer: means person or thing carries or holds something.

it means login once, say, angular app, , can used anywhere postman or fiddle or other website using same token.

in angular 4, can store token either in cookie/localstorage/sessionstorage can accessed , used.

so how protect our token , web api use token created.

if token in cookie, try putting httponly on cookie. try setting samesite=strict or similar property on cookie. way available website.

note: samesite supported in latest webkit or blink based browsers.