When building a React app, it’s common to store simple user data — like names or themes — in localStorage. It’s convenient, persistent, and easy to use:
localStorage.setItem("role", "ADMIN");
But here’s the problem: anything stored in localStorage is 100% visible and editable by anyone who opens your website.
🧠 What Is localStorage?
localStorage is a small key-value database built into every browser. It’s meant for client-side storage, not secure data.
You can see and change it anytime using the browser’s DevTools → Application → Local Storage tab.
🔓 The Common Mistake
Many developers (especially beginners) use localStorage to store login-related info, such as:
localStorage.setItem("role", "ADMIN");
Then they rely on it in React to control access:
onst role = localStorage.getItem("role");
if (role === "ADMIN") {
// show admin dashboard
}
At first glance, this looks fine. But anyone can open the browser console and simply run:
localStorage.setItem("role", "ADMIN");
location.reload();
What if the hacker does not the items in the localstorage? The answer is there is a way to view all items in the localstorage. Just type:
console.table(Object.entries(localStorage));
Boom 💥 — the app now thinks they’re an admin.
All admin menus, buttons, or “restricted” pages might appear instantly.
🧱 But Wait — Does That Mean They’re Actually Admin?
It depends on your backend.
-
❌ If your backend does not verify roles (e.g., it trusts the frontend), your data is wide open.
-
✅ If your backend does verify permissions using tokens or sessions, the fake “admin” role on the frontend only affects the UI — the hacker still can’t perform real admin actions.
🛡️ How to Do It Safely
-
Never trust localStorage for authorization.
It’s fine for cosmetic data (like theme = "dark"), but not for anything related to user identity or privileges. -
Use JWTs or sessions for secure authentication.
Store a signed token (like a JWT) that your backend verifies with every request.
The token itself should contain the user’s role — and the backend should confirm it before granting access. -
Let the backend decide what data to send.
For example, instead of giving all users/admin/data, make the server check the token and respond with “403 Forbidden” if the user isn’t authorized. -
Hide UI elements based on real backend responses.
Don’t just rely on what’s inlocalStorage— render admin features only after verifying the user’s role from the backend.
🕵️♂️ The Bottom Line
If your app’s security depends on a value stored in localStorage, then your app is not secure.
localStorage should be treated like a sticky note on a public computer — convenient, but visible (and editable) to anyone.
✅ TL;DR
| What | Safe? | Notes |
|---|---|---|
| Theme preference | ✅ | Cosmetic only |
| Username | ⚠️ | Not sensitive but editable |
| Access token (JWT) | ⚠️ | OK if short-lived and validated by backend |
| User role / admin flag | ❌ | Never store as plain text |
| Passwords / secrets | 🚫 | Never, ever store here |
No comments:
Post a Comment