Skip to main content

Keep client-side storage without sensitive data

Summary

Personal, sensitive and session data must not be stored in the client-side storage (localStorage, sessionStorage, cookies without security attributes, mobile device unencrypted storage, etc.).

Description

Data placed in the localStorage persists after a session is closed and thus, any actor with access to the browser will be able to obtain it. Furthermore, data in the localStorage or in the sessionStorage is visible to scripts that are running on the browser, and these scripts could belong to malicious third-parties. Therefore, no sensitive or session information should be stored in the client-side storage.

Supported In

This requirement is verified in following services:

PlanSupported
Machine🟢
Squad🟢
One-Shot🟢

References

Vulnerabilities