The browser has several built-in storages, such as local storage or indexedDB. Does it make sense to store sensitive data in them if there is a risk that some malware can access the browser's data directory?
Asked
Active
Viewed 126 times
3
-
Define "sensitive data". Data you're trying to protect from the actual viewer, a la DRM? Don't even send it. Something the real viewer is authorized for, but you don't want leaking? The moment it hits their box it's out of your control - and you don't have any guarantee that it was a **browser** (as opposed to curl or similar) that made the request to your server anyways. Keep in mind that the browser already keeps some sensitive information - login/authorization tokens usually being the big ones. – Clockwork-Muse Dec 26 '18 at 19:07
1 Answers
2
You should avoid consider storing sensitive data at all. Conceptually, if a system is compromised, it doesn't matter where you store the data; any code that can examine's the browser's memory doesn't need to directly access localStorage or an indexedDB, since it could be read straight from memory. So, store only the data you need, but keep in mind that a compromised device cannot be trusted at all.
phyrfox
- 5,724
- 20
- 24