Storefront API customer authentication XSS

[zwergius]

I am implementing a custom web storefront, and I am currently implementing Customer authentication.

I have been considering different options for what to do with the token I create, but none so far is satisfying...

The issue is that saving this in localstorage would make it vulnerable XSS attacks

I have also considered a server less function where I would return customerAccessToken in a header {Set-Cookie: 'xxx'}, now this would remove XSS vulnerability but then I could run into rate limit issues...

last option would be to only keep it in memory, but then the buyer wouldn't be able to refresh browser or retain authenticated status

I wonder why the Storefront API does not return this with the Set-Cookie header in the first place?