MEDIUMCWE-312Client-Side Security
Sensitive Data in LocalStorage
Description
Sensitive information such as auth tokens, API keys, or PII is stored in localStorage where it is accessible to any JavaScript running on the page.
How Vezraa Detects It
We scan your client-side JavaScript for localStorage.setItem() calls near sensitive variable names.
Real-World Impact
Any XSS vulnerability immediately exposes all stored tokens and secrets. LocalStorage also persists across sessions without expiry controls.
Fix Example
// BAD — exposes to all JS
localStorage.setItem('auth_token', token);
// GOOD — httpOnly cookie
// Set via server with:
Set-Cookie: auth_token=...; HttpOnly; Secure; SameSite=StrictAffected Stacks
All SPAsReactVueAngular