Cookies vs localStorage vs sessionStorage: what’s the difference and what should you store?

All store data in the browser, but with different scopes and security. - **Cookies:** sent with requests (good for session cookies) but need CSRF controls. - **localStorage:** persistent; accessible by JS (don’t store secrets). - **sessionStorage:** per-tab session; cleared on tab close. **Security rule:** avoid storing sensitive tokens in localStorage because XSS can steal them. Prefer httpOnly cookies for session tokens when appropriate.