src/lib/api.ts's request interceptor reads localStorage.getItem('stellarsend_token') and attaches it as a Bearer token on every request. Tokens in localStorage are readable by any injected script (no httpOnly protection), which is a meaningful risk in an app that also renders user-supplied contact names and memos.
Consider moving to an httpOnly cookie-based session, or at minimum document the threat model and add CSP headers to mitigate XSS in the first place.
src/lib/api.ts's request interceptor readslocalStorage.getItem('stellarsend_token')and attaches it as a Bearer token on every request. Tokens inlocalStorageare readable by any injected script (nohttpOnlyprotection), which is a meaningful risk in an app that also renders user-supplied contact names and memos.Consider moving to an httpOnly cookie-based session, or at minimum document the threat model and add CSP headers to mitigate XSS in the first place.