HTML5 localStorage security
Would be a good or bad idea to use localStorage for sensitive data (assuming the current HTML5 implementations)?
What methods can I use to secure the data so that i开发者_运维问答t cannot be read by a person that has access at the client computer?
Bad idea.
- Someone with access to the machine will always be able to read the localStorage, there is nothing much you can do to prevent it. Just type 'localStorage' in firebug console, and you get all the key/value pairs nicely listed.
- If you have an XSS vulnerability in your application, anything stored in
localStorage
is available to an attacker. - You can try and encrypting it, but there is a catch. Encrypting it on the client is possible, but would mean the user has to provide a password and you have to depend on not-so-well-tested javascript implementations of cryptography.
- Encrypting on the server side is of course possible, but then the client code cannot read or update it, and so you have reduced localStorage to a glorified cookie.
If it needs to be secure, its best to not send it to the client. What is not in your control can never be secure.
Public Key Cryptography can be applied to prevent any kind of intrusion. Also, data integrity checks (such as CRC or hashes) may be used to make sure data is validated by the server.
精彩评论