Best IT Recipes

HTML5 security localStorage

Would it be a good or bad idea to use localStorage for sensitive data (assuming current HTML5 implementations)?

What methods can I use to protect data so that it cannot be read by someone with access to the client computer?

+47
security html5
Sep 15 '10 at 14:00
source share
2 answers

Bad idea.

  • Someone with access to the machine will always be able to read localStorage, you cannot do anything to prevent it. Just enter "localStorage" in the firebug console and you will get all the key / value pairs that were well presented.
  • If you have an XSS vulnerability in your application, everything stored in localStorage is accessible to the attacker.
  • You can try and encrypt it, but there is a catch. It is possible to encrypt it on the client, but this means that the user must provide a password and which should depend on not very well tested javascript cryptography implementations.
  • Server-side encryption is, of course, possible, but then the client code cannot read or update it, and so you reduced localStorage to an illustrious cookie.

If this is necessary for security, it is best not to send it to the client. What is not under your control can never be safe.

+54
Sep 15 '10 at 15:50
source share

Public key cryptography can be used to prevent any intrusion. In addition, data integrity checks (for example, CRCs or hashes) can be used to validate data by the server.

-2
Nov 01 '11 at 18:38
source share


More articles:


All Articles