保護DataHogo
Security Encyclopedia/React & Next.js
highCWE-922A07:2021

Authentication Tokens in localStorage

Storing JWT tokens, session tokens, or API keys in localStorage makes them accessible to any JavaScript running on the page, including XSS payloads.

How It Works

localStorage is accessible to any JavaScript running on the same origin. If an attacker achieves even a minor XSS vulnerability, they can extract all tokens with a single line: document.cookie is protected by HttpOnly, but localStorage has no such protection. Stolen tokens allow session hijacking, account takeover, and API abuse. Unlike cookies, localStorage values are never automatically sent with requests, so developers must manually attach them — often in ways that expose them to CSRF or XSS. Tokens in localStorage also persist after the browser is closed, extending the attack window.

Vulnerable Code
// After login
const { token } = await response.json();
localStorage.setItem('auth_token', token);

// On every request
fetch('/api/data', {
  headers: { Authorization: `Bearer ${localStorage.getItem('auth_token')}` }
});
Secure Code
// Server sets HttpOnly cookie after login
// In API route:
res.setHeader('Set-Cookie', serialize('session', token, {
  httpOnly: true,
  secure: true,
  sameSite: 'lax',
  path: '/',
  maxAge: 60 * 60 * 24 * 7
}));

// Client requests automatically include the cookie
fetch('/api/data', { credentials: 'include' });

Real-World Example

In 2022, an XSS vulnerability in a popular React dashboard allowed attackers to steal JWTs from localStorage of admin users. The tokens had long expiration times (30 days), giving attackers persistent access to admin panels and customer data.

How to Prevent It

  • Store tokens in HttpOnly, Secure cookies instead of localStorage
  • Set SameSite=Lax or Strict on authentication cookies
  • Use short token expiration times with refresh token rotation
  • Implement Content Security Policy to reduce XSS attack surface

Affected Technologies

ReactNext.jsNode.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

dangerouslySetInnerHTML Without Sanitization

high

Using React's dangerouslySetInnerHTML with unsanitized user input allows attackers to inject malicious scripts that execute in other users' browsers.

CWE-79A03:2021

__NEXT_DATA__ Secrets Exposure

high

Next.js page props passed through getServerSideProps or getStaticProps leak sensitive data like API keys, database URLs, or internal configuration via the __NEXT_DATA__ script tag.

CWE-200A01:2021

Source Maps Exposed in Production

medium

JavaScript source map files (.map) are publicly accessible in production, revealing the complete original source code including comments, variable names, and internal logic.

CWE-540A05:2021

Open CORS in Next.js API Routes

medium

Next.js API routes configured with Access-Control-Allow-Origin: * allow any website to make authenticated cross-origin requests, enabling CSRF-like attacks.

CWE-942A05:2021