Hi, I noticed there was a lack of cookie based session management (unless I've missed something in the docs) and since samesite attributes protect against CSRF, the recommendation against it is outdated https://feathersjs.com/guides/security.html.

As for the stance that if an XSS vulnerability is abused you have more important things to worry about than a stolen token, this may be right, but a HttpOnly cookie still limits the window of abuse while the XSS is active, whereas if a token were to be stolen, it can be used until its expiry. I think in most cases a HttpOnly, SameSite cookie is safer than a local storage implementation, and even if not, I think it would be nice to have a built-in securely configured cookie option for devs to easily choose from for themselves.