What are (if any) the security drawbacks of REST Basic Authentication with Javascript clients?

Question

I have this application that consists of a REST back-end intended to servicing requests from an HTML5/JavaScript client (which I\'m also building).

I\'m planning on

Answer 1

The “hard” credentials should never be stored in an area that is accessible by Javascript, otherwise you open yourself wide to XSS attacks.

I recommend using access tokens and storing them in HTTPS-only cookies. You do an initial exchange of hard credentials for access token, then use the token (which is time limited) for subsequent requests.

I have written a lengthly article on this subject and It covers my answer in detail: Token Based Authentication for Single Page Apps

Hope this helps!