Leakage of sensitive data in local storage

Overview

• Rule ID: javascript_lang_session

• Applicable Languages: Javascript

• Weakness ID: CWE-312

Description

Storing sensitive data in localStorage presents a security risk. This vulnerability arises when sensitive information is kept in the browser's local storage, leaving it exposed to unauthorized access.

Remediation Guidelines

• Avoid storing sensitive data in localStorage. This practice exposes sensitive information to potential security vulnerabilities.

  Copy

  localStorage.setItem('user', email); // insecure

• Use server-based session storage solutions to keep session data secure. This method reduces the risk of sensitive data exposure.

• Store only non-sensitive data in localStorage, such as a unique identifier, to mitigate security risks.

  Copy

  localStorage.setItem('user', user.uuid);

References

• OWASP sensitive data exposure

• CWE-312: Cleartext Storage of Sensitive Information

• OWASP Top 10: A04:2021 - Insecure Design

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL