Is LocalStorage safe to use?

January 30, 2020 | in Application Security
| By Liran Tal

The internet has come a long way since the first-ever website that struggled with basic text layout. HTML5 is the latest evolution of hypertext markup language, and it’s been designed to do almost anything a web developer wants without additional browser plugins. With HTML5, developers gained a whole slew of semantic elements, graphic elements, and even a few tricks involving web storage – notably local storage. Of course, people are wondering: is local storage safe to use?

Local storage has caught the attention of developers as a lightweight solution for data storage that doesn’t involve databases or even the server. That’s neat, but is it always a good idea to use it? Here are a few thoughts from the folks at Snyk.

What is LocalStorage?

LocalStorage is an HTML5 web storage object for storing data on the client – that is, locally, on a user’s computer. Data stored locally has no expiration date and will exist until it’s been deleted. (In contrast, session storage, which is another HTML5 web storage API, deletes data stored when the browser closes.)

Local storage is pure JavaScript. Likewise, while it still generates a plaintext document on the user’s device, local storage also allows up to 5MB of data to be stored (as compared to the 4KB of a cookie). That has enabled many interesting applications of local storage, such as managing content to reduce the need to request content from a server , speeding load times.

When used thoughtfully, local storage can be a powerful lightweight data storage solution that isn’t without problems. Here are a few reasons using local storage might be a bad idea, depending on what’s being stored.

Why using LocalStorage might be a bad idea

Local storage is inherently no more secure than using cookies. When that’s understood, the object can be used to store data that’s insignificant from a security standpoint. Here are a few reasons, however, to reconsider the use of local storage.

1. If a site is vulnerable to XSS, LocalStorage is not safe

Perhaps the biggest objection to the use of local storage is the security vulnerabilities associated with it. Local storage shares many of the same characteristics as a cookie, including the same security risks. One of those is susceptibility to cross-site scripting, which steals cookies to let hackers masquerade as a user with their login session for a site. Storing something sensitive like a password in a local storage file actually simplifies the process for a hacker, because they won’t need to load the cookie into their own browser.

2. Developers have no control over the locally stored data

With local storage, there’s no server-side storage – no database over which the developer has control. That can be problematic for a few reasons, one of which being that developers have no way to update code or information once it’s been stored. A user would need to either manually delete the file, which would require finding it. Or, they’d need to wipe their browser cache and thus lose all stored data.

3. People clear their caches

Periodically clearing the browser cache helps cookies function more effectively and is typically the first step that people take when troubleshooting browser problems like a page not loading properly. That’s a problem when using local storage to support a site’s functions. If a user clears the browser cache, that information will be permanently lost. This makes local storage more useful as a fallback database instead.

Alternatives to LocalStorage

A few alternatives to local storage do exist depending on whether or not the information is sensitive. Developers who don’t want to use local storage may:

  •       Use server-side sessions for sensitive information: Storing data on the server has several advantages when it comes to sensitive information. First, the developer can guarantee its security and has more control over individual sessions (they can be terminated instantly if necessary). Second, the data is protected within the architecture, and there’s less chance for its exposure.
  •       For non-sensitive information, choose IndexedDB: For developers bent on using client-side sessions, IndexedDB empowers developers to build applications that can be stored locally. Although it doesn’t have as widespread browser support as local storage, it can be nonetheless useful for locally storing non-sensitive data. IndexedDB has one major advantage over local storage, in that it is a full-fledged database capable of handling more types of data. 

Be smart about data storage

When thoughtfully deployed, local storage can boost site performance and help create more lightweight applications. However, local storage should never be used for sensitive information such as passwords or personal information. Doing so creates a security risk that is frankly avoidable if the site’s server is already secure.

For information that requires encryption and security, there are other effective and expedient solutions out there such as server-side sessions. With cybersecurity being such a major concern, there’s no need to risk it. So, don’t.