For my case, I chose to implement HTTP-only cookies, as I see it as a much safer way to handle JWT, because it prevents hackers from performing XSS attacks (stealing the content of any cookie in document.cookie).

With HTTP-only cookies, It's harder for malicious scripts to extract the token and send it to an attacker.