Security What Never to Store in Storage
Avoid storing tokens or PII in localStorage.
Storage is Plain Text
localStorage and sessionStorage save data unencrypted on disk under the user profile. Any process with file-system access — including malware, backup tools, or another logged-in user — can read every value you stored without going through the browser.
Reachable by Any Script
All scripts running on the origin share the same Storage. A successful XSS attack, a compromised third-party SDK, or a malicious browser extension can call localStorage.getItem and exfiltrate every stored value. There is no per-script isolation.
All lessons in this course
- localStorage vs sessionStorage
- Getting Setting and Removing Items
- Listening for Storage Events
- Security What Never to Store in Storage