HTML5 localStorage security

by

Bad idea.

  1. Someone with access to the machine will always be able to read the localStorage, there is nothing much you can do to prevent it. Just type ‘localStorage’ in firebug console, and you get all the key/value pairs nicely listed.
  2. If you have an XSS vulnerability in your application, anything stored in localStorage is available to an attacker.
  3. You can try and encrypting it, but there is a catch. Encrypting it on the client is possible, but would mean the user has to provide a password and you have to depend on not-so-well-tested javascript implementations of cryptography.
  4. Encrypting on the server side is of course possible, but then the client code cannot read or update it, and so you have reduced localStorage to a glorified cookie.

If it needs to be secure, its best to not send it to the client. What is not in your control can never be secure.

More Related Contents:

  1. Is either GET or POST more secure than the other?
  2. How to allow http content within an iframe on a https site [duplicate]
  3. Cross Domain Form POSTing
  4. Can local storage ever be considered secure? [closed]
  5. Is it possible to put binary image data into html markup and then get the image displayed as usual in any browser?
  6. access iframe content from a chrome’s extension content script
  7. How to prevent a browser from storing passwords
  8. Why are iframes considered dangerous and a security risk?
  9. Disabling Safari autofill on usernames and passwords
  10. Open a direct file on the hard drive from firefox (file:///)
  11. Browser Canvas CORS Support for Cross Domain Loaded Image Manipulation
  12. Is any way that is safe to display videos in a browser
  13. How can I select the last element with a specific class, not last child inside of parent?
  14. Using Position Relative/Absolute within a TD?
  15. Why media queries has less priority than no media queries css
  16. Flexbox fill available space vertically
  17. Best approach to real time http streaming to HTML5 video client [closed]
  18. What are the integrity and crossorigin attributes?
  19. Localization of input type number
  20. Easier way to create circle div than using an image?
  21. Customizing Increment Arrows on Input of Type Number Using CSS
  22. Remove outline from select box in FF
  23. Difference between Url Encode and HTML encode
  24. HTML5 localStorage size limit for subdomains
  25. How to save user-entered line breaks from a TextArea to a database?
  26. Link to reload current page
  27. How do I horizontally center an absolute positioned element inside a 100% width div? [duplicate]
  28. download webpage and dependencies, including css images [closed]
  29. Poor anti-aliasing of text drawn on Canvas
  30. Can you have a within a ?

Leave a Comment