Leakage of sensitive data in local storage
- Rule ID: javascript_lang_session
- Languages: javascript
- Source: session.yml
Description
Sensitive data should not be stored in a localStorage
session. This policy looks for any sensitive data stored within the localstorage.
Remediations
It's best to avoid storing sensitive data in localStorage
whenever possible. To keep session data safe, use a server-based session storage solution instead.
❌ If you do need do store data in localStorage
, avoid including sensitive data:
localStorage.setItem('user', email)
✅ Instead, use a unique identifier:
localStorage.setItem('user', user.uuid)
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_lang_session
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_lang_session