Section 23 · Infrastructure Features

Client-Side Security & Storage

Cookie configuration, browser storage usage, and JWT handling practices

3 items 1 critical 2 recommended

This guide walks you through auditing a project's client-side security practices, including cookie configuration, browser storage usage, and JWT handling.

The Goal: Secrets Hidden from JavaScript

Sensitive data in the browser should be inaccessible to malicious scripts, limiting the blast radius of XSS attacks.

  • HttpOnly cookies — Session tokens and auth data cannot be read by JavaScript
  • Clean browser storage — localStorage and sessionStorage contain only preferences, never tokens or PII
  • Secure JWT handling — Short-lived tokens, proper signing algorithms, documented refresh flows
  • Minimized attack surface — No sensitive data exposed to client-side code that doesn't need it

Before You Start

  1. Get access to the codebase (required for this section)
  2. Identify the auth library in use (next-auth, iron-session, passport, custom)
  3. Identify if JWTs are used (some apps use session-based auth only)

Cookies

CSS-001
Cookies use HttpOnly for sensitive data critical

Auth/session cookies configured with HttpOnly flag to prevent XSS attacks from stealing tokens

“Could XSS steal your session tokens right now?”

Storage

CSS-002
Browser storage used appropriately recommended

localStorage limited to preferences/UI state; no tokens, secrets, or PII in browser storage

“Any tokens sitting in localStorage right now?”

JWT Handling

CSS-003
JWT handling practices documented and followed recommended

JWT practices documented including expiration, storage, refresh flow; implementation matches docs

“What's your JWT expiry and does the team know it?”
← Previous section

Front-End Performance

4 items

 Next section →

Data Retention

5 items