Security patterns for keeping secrets in the browser

This page contains the resources for the talk titled "Security patterns for keeping secrets in the browser". Next to the slides, a cheat sheet provides an overview of the different patterns, their pros and cons. The GitHub repository contains code examples for each of the patterns.


Modern applications often rely on storing data in the browser. A simple scenario is keeping a JWT token in localStorage. A more complex scenario is keeping application data in the browser to enable offline use. Unfortunately, the security properties of these mechanisms are less than stellar. Device-based access or XSS attacks easily result in the compromise of sensitive data.

In this talk, we investigate the strengths and weaknesses of browser-based storage mechanisms. We explore various security strategies to protect sensitive data. We even propose a way to protect data against physical access to the device. Throughout the talk, we build up a set of security patterns for frontend developers. You will walk away with practical guidelines for storing data in frontend applications.

About Philippe De Ryck

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.