Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

HTML5 Web DB Security

Tags:

html

security

offlineapps

I'm looking into an offline web app solution using HTML5. The functionality is everything I need BUT the data stored can be directly queried right in the browser and therefore completely unsecure!

Is there anyway to encrypt/hide so that the data is secure?

Thanks, D.

like image 607
user317077 Avatar asked Apr 15 '10 00:04

user317077

People also ask

Is HTML5 secure?

As with any programming language, HTML5 is only as safe as the practices of the developer who creates with it. However, HTML5 is seen as much more robust in terms of safety because of this sandboxing.

What is HTML5 security?

HTML5 provides little protection for web vulnerabilities such as XSS, CSRF or SQL injection amongst many others. Even though the specification may seem more secure, most of the vulnerabilities available in the hackers' arsenal continue to work on HTML5-based sites as well.

Is HTML5 more secure than Flash?

The architecture of HTML5 allows cyber risk management. It is more secure than any Flash code, but not entirely immune to malware or security issues. The difference is that HTML5 is maintained by the World Wide Web Consortium (W3C).

2 Answers

There are two concerns to local storage in HTML5 -

  1. One website reading offline data that another website has stored in a users browser
  2. An end user querying your websites offline data directly

For 1, browsers enforce the same-domain restrictions to localStorage (or the sqllite database support that safari has), so other websites won't have access to the data that you store. However, do remember that if your site has XSS vulnerabilities, it would be possible to steal the data.

For 2, you can't prevent it. Its just like a cookie - the user can chose to view/delete/modify it.

Encryption of data is possible (see http://farfarfar.com/scripts/encrypt/), but pointless. You cannot have a single, global key/password - because an attacker can easily figure the key from javascript code. Using a user-entered password to encrypt/decrypt is possible, but client-side encryption libraries aren't mature or tested well enough. There are likely tons of way to break it.

So, for now atleast, don't store sensitive data in localStorage.

like image 81
Sripathi Krishnan Avatar answered Sep 20 '22 14:09

Sripathi Krishnan

You can also see an article on this concern by the author of the HTML5 SecureStore Porposal

like image 43
Cbe317 Avatar answered Sep 23 '22 14:09

Cbe317
Sign in to Comment

Related questions

Web API OAuth Bearer Token security
Secure session cookies in ASP.NET over HTTPS
Validate that a file is a picture in PHP
When linking to an external .js file, isn't this a security risk?
Jetty webserver security
How to get a process file name from pid, if OpenProcess() fails with ACCESS_DENIED?
Git: Is it possible to fake the signing date of a tag?
Is it 'safe' to permanently trust the Fiddler root certificate?
Can HTTPS connections be hijacked with a man-in-the-middle attack?
Are there any free implementations of strcpy_s and/or TR24731-1?
Should I release an app to the App Store with print statements in it?
PHP GET variable array injection
SQL Injection attack - What does this do?
what is an alternative to password_hash() for (PHP 5 < 5.5.0)?
How to get ssl on a kubernetes application?
Can anybody explain OAuth?
SecureString for storing in memory and presenting passwords? Or something else?
Does HTTPS protect against CSRF attacks?
Secure Flag for ASPXAUTH Cookie
AWS S3 The security of a signed URL as a hyperlink

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!