# Leakage of sensitive data in local storage

## Overview

* **Rule ID**: `javascript_lang_session`
* **Applicable Languages**: Javascript
* **Weakness ID**: CWE-312

## Description

Storing sensitive data in localStorage presents a security risk. This vulnerability arises when sensitive information is kept in the browser's local storage, leaving it exposed to unauthorized access.

## Remediation Guidelines

* **Avoid** storing sensitive data in `localStorage`. This practice exposes sensitive information to potential security vulnerabilities.

  ```javascript
  localStorage.setItem('user', email); // insecure
  ```
* **Use** server-based session storage solutions to keep session data secure. This method reduces the risk of sensitive data exposure.
* **Store only non-sensitive data in `localStorage`**, such as a unique identifier, to mitigate security risks.

  ```javascript
  localStorage.setItem('user', user.uuid);
  ```

## References

* [**OWASP sensitive data exposure**](https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure)
* [**CWE-312: Cleartext Storage of Sensitive Information**](https://cwe.mitre.org/data/definitions/312.html)
* [**OWASP Top 10: A04:2021 - Insecure Design**](https://owasp.org/Top10/A04_2021-Insecure_Design/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)