Leakage of sensitive data in local storage

  • Rule ID: javascript_lang_session
  • Languages: javascript
  • Source: session.yml

Description

Sensitive data should not be stored in a localStorage session. This policy looks for any sensitive data stored within the localstorage.

Remediations

It's best to avoid storing sensitive data in localStorage whenever possible. To keep session data safe, use a server-based session storage solution instead.

❌ If you do need do store data in localStorage, avoid including sensitive data:

localStorage.setItem('user', email)

✅ Instead, use a unique identifier:

localStorage.setItem('user', user.uuid)

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_session

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_session

Ready to take the next step? Learn more about Bearer Cloud.