Leakage of sensitive data in local storage

• Rule ID: javascript_lang_session
• Languages: javascript
• Source: session.yml

Description

Sensitive data should not be stored in a localStorage session. This policy looks for any sensitive data stored within the localstorage.

Remediations

It's best to avoid storing sensitive data in localStorage whenever possible. To keep session data safe, use a server-based session storage solution instead.

❌ If you do need do store data in localStorage, avoid including sensitive data:

localStorage.setItem('user', email)

✅ Instead, use a unique identifier:

localStorage.setItem('user', user.uuid)

Resources

• OWASP sensitive data exposure

Associated CWE

• CWE-312: Cleartext Storage of Sensitive Information

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_session

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_session