52

Would be a good or bad idea to use localStorage for sensitive data (assuming the current HTML5 implementations)?

What methods can I use to secure the data so that it cannot be read by a person that has access at the client computer?

Om Shankar
  • 7,989
  • 4
  • 34
  • 54
Aleris
  • 7,981
  • 3
  • 36
  • 42
  • I posted [an answer to a similar question](http://stackoverflow.com/a/24677597/19212) that may be illuminating as well. – Brian M. Hunt Jul 10 '14 at 13:25

2 Answers2

65

Bad idea.

  1. Someone with access to the machine will always be able to read the localStorage, there is nothing much you can do to prevent it. Just type 'localStorage' in firebug console, and you get all the key/value pairs nicely listed.
  2. If you have an XSS vulnerability in your application, anything stored in localStorage is available to an attacker.
  3. You can try and encrypting it, but there is a catch. Encrypting it on the client is possible, but would mean the user has to provide a password and you have to depend on not-so-well-tested javascript implementations of cryptography.
  4. Encrypting on the server side is of course possible, but then the client code cannot read or update it, and so you have reduced localStorage to a glorified cookie.

If it needs to be secure, its best to not send it to the client. What is not in your control can never be secure.

Sripathi Krishnan
  • 30,948
  • 4
  • 76
  • 83
  • 4
    I'll second that. Bad Practice. https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Local_Storage_.28a.k.a._Offline_Storage.2C_Web_Storage.29 – Pierre Ernst Nov 02 '11 at 12:41
  • 11
    However, a good point is that a script from a domain can read `localStorage` set by that domain **only** – Om Shankar Mar 04 '13 at 16:49
  • Additional citation on JS crypto being a poor choice from the NCC Group circa 2011: [JavaScript Cryptography Considered Harmful](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/) — they go into details on the many problems involved. – amcgregor Feb 26 '19 at 19:33
  • Seems like this didn't age well as it's a common practice to store API tokens in localStorage or cookies. – Konrad Oct 08 '22 at 17:06
-3

Public Key Cryptography can be applied to prevent any kind of intrusion. Also, data integrity checks (such as CRC or hashes) may be used to make sure data is validated by the server.

dashersw
  • 207
  • 1
  • 10
  • 5
    No. PKI doesn't help on every case. Also, if attacker can change the contents, they can also easily change hashes. Hashes could help with detecting unintentional changes ("corruption"), though. – Olli Sep 30 '13 at 08:52