Is Redux a secure place to store JWT tokens?

It doesn't really matter where you store it on the client side. If malicious code gets in through an XSS attack, nothing is really safe. If malicious code doesn't get in, nothing is really unsafe. Just don't have users sharing their stores with each other, and do the other stuff that's generally good security practice.

I know this has been asked a long time ago but thought I'd share in case anyone is looking for a nicer approach.

To answer your question, it can be a secure place to store JWT, but it depends on how you are thinking of persisting the JWT.

Here is my approach. If you are using a SPA frontend, as well as having refresh tokens implemented, you could save that refresh token in a httpOnly cookie, and just get a new JWT when the user starts a new session. This way, there's less chance of CSRF/XSS attacks. I wouldn't say its the most secure as anything is possible in these modern times, but personally I feel like it is safer due to only somewhat exposing the refresh token, even though it is set as httpOnly.

You could store the JWT in Redux and I can see your motive there but consider this:

• When the page is refreshed or the user leaves the site and returns the JWT is lost. How will you get it back? Request another one from the server?

You shouldn't worry much where you store the JWT (local storage or cookies) as long as you follow all the best practices of web security and JWT tokens (ie, setting expiry).

I've personally stored them in local storage and cookies. Cookies seem to be a better choice.