Vulnerable to **XSS** (cross-site scripting) attacks — if an attacker injects JavaScript into the page, they can read the token with `localStorage.getItem('token')` and steal it - Not vulnerable to **CSRF** (cross-site request forgery) because the token must be explicitly added to request headers -