So the recommended way to store the two tokens is via cookies (as opposed to local storage) as it provides security against XSS attacks.