Hacker News new | past | comments | ask | show | jobs | submit login

Where should web pages store secrets and keys?



You have a couple of options for storing tokens or other secrets like API keys that only need to be presented to a remote server.

* Secure, HTTPOnly cookies. This requires that your servers live on the same domain as the web page is being served from, but cookies will transparently be attached to any request and are unavailable to be exfiltrated.

* Some secrets can be stored outside of the browser javascript context so again can't be exfiltrated. This is pretty limited, but WebAuthn uses this for example.

* Keep the secrets server side in a session. You are still vulnerable to session riding, but not exfiltration of tokens.


Thesedays they typically use a (native) reverse-proxy as their gateway to the wider web, which manages their access-tokens/secrets for them.

c.f.: https://leastprivilege.com/2020/03/31/spas-are-dead/




Consider applying for YC's first-ever Fall batch! Applications are open till Aug 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: