Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

HTML5 localStorage security

Tags:

html

security

Would be a good or bad idea to use localStorage for sensitive data (assuming the current HTML5 implementations)?

What methods can I use to secure the data so that it cannot be read by a person that has access at the client computer?

like image 763
Aleris Avatar asked Sep 15 '10 14:09

Aleris

People also ask

Is using localStorage secure?

On the downside, localStorage is potentially vulnerable to cross-site scripting (XSS) attacks. If an attacker can inject malicious JavaScript into a webpage, they can steal an access token in localStorage. Also, unlike cookies, localStorage doesn't provide secure attributes that you can set to block attacks.

Can localStorage be hacked?

If an attacker can run JavaScript on your website, they can retrieve all the data you've stored in local storage and send it off to their own domain. This means anything sensitive you've got in local storage (like a user's session data) can be compromised.

Is Webstorage secure?

Never store sensitive data using Web Storage: Web Storage is not secure storage. It is not “more secure” than cookies because it isn't transmitted over the wire. It is not encrypted. There is no Secure or HTTP only flag so this is not a place to keep session or other security tokens.

1 Answers

Bad idea.

  1. Someone with access to the machine will always be able to read the localStorage, there is nothing much you can do to prevent it. Just type 'localStorage' in firebug console, and you get all the key/value pairs nicely listed.
  2. If you have an XSS vulnerability in your application, anything stored in localStorage is available to an attacker.
  3. You can try and encrypting it, but there is a catch. Encrypting it on the client is possible, but would mean the user has to provide a password and you have to depend on not-so-well-tested javascript implementations of cryptography.
  4. Encrypting on the server side is of course possible, but then the client code cannot read or update it, and so you have reduced localStorage to a glorified cookie.

If it needs to be secure, its best to not send it to the client. What is not in your control can never be secure.

like image 50
Sripathi Krishnan Avatar answered Sep 28 '22 15:09

Sripathi Krishnan
Sign in to Comment

Related questions

Property 'submit' of object #<HTMLFormElement> is not a function
Change text size and color incrementally
How can I put a vertical line down the center of a div?
Disable form autofill in Chrome without disabling autocomplete [duplicate]
How to prevent downloading images and video files from my website?
Bootstrap font scaling too small on mobile
Simple JavaScript problem: onClick confirm not preventing default action
Removing "bullets" from unordered list <ul>
How to create a label inside an <input> element?
Adding double quotes to a paragraph with CSS
Input range slider not working on iOS Safari when clicking on track
Text Padding in Select Boxes
How to get on-screen visible element objects in jQuery? [duplicate]
Is there an equivalent to the "alt" attribute for div elements?
jQuery when element becomes visible [duplicate]
Why does JavaScript navigator.appName return Netscape for Safari, Firefox and Chrome?
How to set an input width to match the placeholder text width
window.innerWidth vs document.documentElement.clientWidth
How does stackoverflow make its Tag input field? [closed]
How does a multiple select list work with model binding in ASP.NET MVC?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!