Dear support team,
Following security checks on an application developed with ABP Framework 8.3.3, the Penetration Test team responsible for verifying application compliance reported that the Angular application does not have proper handling of the AccessToken.
The token is also saved in local storage... a vulnerable location that is accessible if combined with an XSS attack. All access tokens should be set with secure attributes such as HttpOnly or SameSite to prevent them from being used by potentially injected JavaScript code.
We would like to know if it is possible to modify this configuration from Angular or understand where to make the override to be compliant with this policy. Thank you in advance.
