Skip to content
← Back to Vulnerability Database
MEDIUMCWE-312Client-Side Security

Sensitive Data in LocalStorage

Description

Sensitive information such as auth tokens, API keys, or PII is stored in localStorage where it is accessible to any JavaScript running on the page.

How Vezraa Detects It

We scan your client-side JavaScript for localStorage.setItem() calls near sensitive variable names.

Real-World Impact

Any XSS vulnerability immediately exposes all stored tokens and secrets. LocalStorage also persists across sessions without expiry controls.

Fix Example

// BAD — exposes to all JS
localStorage.setItem('auth_token', token);

// GOOD — httpOnly cookie
// Set via server with:
Set-Cookie: auth_token=...; HttpOnly; Secure; SameSite=Strict

Affected Stacks

All SPAsReactVueAngular

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

Sensitive Data in LocalStorage — Vulnerability Database | Vezraa