Skip to content

Auth token stored in localStorage is vulnerable to XSS exfiltration #7

Description

@abayomicornelius

src/lib/api.ts's request interceptor reads localStorage.getItem('stellarsend_token') and attaches it as a Bearer token on every request. Tokens in localStorage are readable by any injected script (no httpOnly protection), which is a meaningful risk in an app that also renders user-supplied contact names and memos.

Consider moving to an httpOnly cookie-based session, or at minimum document the threat model and add CSP headers to mitigate XSS in the first place.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsecuritySecurity concern

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions