HTML5 本地存储安全 [英] HTML5 localStorage security

问题描述

对敏感数据使用 localStorage 是好还是坏主意(假设当前的 HTML5 实现)?

Would be a good or bad idea to use localStorage for sensitive data (assuming the current HTML5 implementations)?

我可以使用哪些方法来保护数据，使有权访问客户端计算机的人无法读取数据?

What methods can I use to secure the data so that it cannot be read by a person that has access at the client computer?

推荐答案

坏主意.

1. 有权访问机器的人将始终能够读取 localStorage，您无能为力.只需在 firebug 控制台中输入localStorage"，您就可以很好地列出所有键/值对.
2. 如果您的应用程序中存在 XSS 漏洞，则存储在 localStorage 中的任何内容都可供攻击者使用.
3. 您可以尝试对其进行加密，但有一个问题.在客户端对其进行加密是可能的，但这意味着用户必须提供密码并且您必须依赖未经充分测试的密码学 javascript 实现.
4. 在服务器端加密当然是可能的，但是客户端代码无法读取或更新它，因此您将 localStorage 简化为一个美化的 cookie.

1. Someone with access to the machine will always be able to read the localStorage, there is nothing much you can do to prevent it. Just type 'localStorage' in firebug console, and you get all the key/value pairs nicely listed.
2. If you have an XSS vulnerability in your application, anything stored in localStorage is available to an attacker.
3. You can try and encrypting it, but there is a catch. Encrypting it on the client is possible, but would mean the user has to provide a password and you have to depend on not-so-well-tested javascript implementations of cryptography.
4. Encrypting on the server side is of course possible, but then the client code cannot read or update it, and so you have reduced localStorage to a glorified cookie.

如果需要安全，最好不要将其发送给客户端.不在您控制范围内的东西永远不会安全.

If it needs to be secure, its best to not send it to the client. What is not in your control can never be secure.

这篇关于HTML5 本地存储安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！