Skip to main content

Keep client-side storage without sensitive data


Personal, sensitive and session data must not be stored in the client-side storage (localStorage, sessionStorage, cookies without security attributes, mobile device unencrypted storage, etc.).


Data placed in the localStorage persists after a session is closed and thus, any actor with access to the browser will be able to obtain it. Furthermore, data in the localStorage or in the sessionStorage is visible to scripts that are running on the browser, and these scripts could belong to malicious third-parties. Therefore, no sensitive or session information should be stored in the client-side storage.

Supported In

This requirement is verified in following services




free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.