0Pricing
HTML Academy · Lesson

Security What Never to Store in Storage

Avoid storing tokens or PII in localStorage.

Storage is Plain Text

localStorage and sessionStorage save data unencrypted on disk under the user profile. Any process with file-system access — including malware, backup tools, or another logged-in user — can read every value you stored without going through the browser.

Reachable by Any Script

All scripts running on the origin share the same Storage. A successful XSS attack, a compromised third-party SDK, or a malicious browser extension can call localStorage.getItem and exfiltrate every stored value. There is no per-script isolation.

All lessons in this course

  1. localStorage vs sessionStorage
  2. Getting Setting and Removing Items
  3. Listening for Storage Events
  4. Security What Never to Store in Storage
← Back to HTML Academy