Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are API tokens safe inside a Flux (Redux) store?

Would it be safe to store an API token returned by an authentication call in a Flux (specifically, Redux) store? I've used Webpack to compile all assets in the project, which I believe means the store is scoped out of reach from third-party scripts looking to read the store and extract the token.

And, for what it's worth, the token is sent over HTTPS in an Authorization: bearer ... header.

like image 684
Carson Avatar asked Sep 22 '15 16:09

Carson


1 Answers

If untrusted 3rd party scripts are running on the page, then you should assume that nothing is safe as the entire integrity of the page is compromised.

If only trusted scripts are running, then you can assume your token is safe, subject to the security of the browser and how secure your site is against XSS attacks.

EDIT:

To clarify, this is safety from 3rd party scripts. If you are trying to hide your token from the user themselves then the answer is that it will always be insecure, no matter how much you obfuscate your code since if the user's machine has access to it, then ultimately the user can have access to it (you can make it more difficult, but not impossible).

like image 55
Trevor Freeman Avatar answered Oct 26 '22 18:10

Trevor Freeman