How do i store Pow token safe in browser?

I’m trying to make a simple login project for practice and found POW system.
It makes tokens like jwt so I tried to use it, but got a question if this is safe from xss or csrf.
In Cookies I heard It can be set Httponly and Secure in the server and throw it in to the front.
Well in this case(using POW), how do i set it like Httponly or Secure?
Or is there a good way to store the access token and the refresh token(renewal_token)?
I heard localStorage is a bad way to store some information like ID or user information.