使用reactjs将jwt存储在localStorage中是否安全? | 使用reactjs将jwt存储在localStorage中是否安

本文介绍了使用reactjs将jwt存储在localStorage中是否安全?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我目前正在使用reactjs构建一个单页应用程序.我读到许多不使用localStorage的原因是由于XSS漏洞.由于React避开了所有用户输入，现在使用localStorage可以安全吗?

I'm currently building a single page application using reactjs. I read that many of the reasons for not using localStorage is because of XSS vulnerabilities. Since React escapes all user input, would it now be safe to use localStorage?

推荐答案

在大多数现代单页应用程序中，我们确实必须将令牌存储在客户端的某个位置(最常见的用例-使用户保持登录状态)页面刷新后.)

In most of the modern single page applications, we indeed have to store the token somewhere on the client side (most common use case - to keep the user logged in after a page refresh).

共有2个可用选项:Web存储(会话存储，本地存储)和客户端cookie. 两个选项都被广泛使用，但这并不意味着它们非常安全.

There are a total of 2 options available: Web Storage (session storage, local storage) and a client side cookie. Both options are widely used, but this doesn't mean they are very secure.

Tom Abbott很好地总结了 JWT sessionStorage和localStorage安全性:

Tom Abbott summarizes well the JWT sessionStorage and localStorage security:

为防止XSS，常见的响应是对所有不受信任的数据进行转义和编码. React(主要是)为您做到这一点！这是一个很棒的讨论React负责多少XSS漏洞保护.

To prevent XSS, the common response is to escape and encode all untrusted data. React (mostly) does that for you! Here's a great discussion about how much XSS vulnerability protection is React responsible for.

但这并不涵盖所有可能的漏洞！另一个潜在的威胁是使用CDN或外部基础架构上托管的JavaScript .

But that doesn't cover all possible vulnerabilities! Another potential threat is the usage of JavaScript hosted on CDNs or outside infrastructure.

又是汤姆:

如果只破坏了您使用的一个脚本怎么办?恶意JavaScript可以嵌入到页面中，并且Web存储受到损害. 这些类型的XSS攻击可以使每个人的Web存储都在他们不知情的情况下访问您的网站.这可能就是为什么许多组织建议不要在Web存储中存储任何有价值的信息或信任任何信息的原因.这包括会话标识符和令牌.

What if only one of the scripts you use is compromised? Malicious JavaScript can be embedded on the page, and Web Storage is compromised. These types of XSS attacks can get everyone’s Web Storage that visits your site, without their knowledge. This is probably why a bunch of organizations advise not to store anything of value or trust any information in web storage. This includes session identifiers and tokens.

因此，我的结论是，作为存储机制，Web存储在传输过程中不执行任何安全标准.读取并使用Web存储的任何人都必须进行尽职调查，以确保他们始终通过HTTPS发送JWT，而从不通过HTTP发送JWT.

Therefore, my conclusion is that as a storage mechanism, Web Storage does not enforce any secure standards during transfer. Whoever reads Web Storage and uses it must do their due diligence to ensure they always send the JWT over HTTPS and never HTTP.

这篇关于使用reactjs将jwt存储在localStorage中是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！