Why using localstorage in JS is insecure?

Depends on the data stored or applies in any implementation?

Yes it depends of the data stored.

Localstorage saves data into the users browser, it is persistent and survives system reboots or shutdowns. Sessionstorage functions almost in the same way, but the data is only saved until the window or the tab is closed.

Saving sensitive information like credentials or session tokens on a localstorage is insecure because of it’s inherent characteristics, any XSS attack can extract data from the storage, also the data could be changed with the same method. Using cookies with the httponly flag is the best way to deal with session tokens and sensitive user information.

1 Like

Then, there’s no difference between Localstorage and Sessionstorage in the XSS scenario?

Where is the right place to store sensitive information like tokens or credentials?

No, the only difference is the time frame that those methods manage saved objects but for the XSS attack is a simple Javascript command.

As I said up there:

Using cookies with the httponly flag is the best way to deal with session tokens and sensitive user information