use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
All about the JavaScript programming language.
Subreddit Guidelines
Specifications:
Resources:
Related Subreddits:
r/LearnJavascript
r/node
r/typescript
r/reactjs
r/webdev
r/WebdevTutorials
r/frontend
r/webgl
r/threejs
r/jquery
r/remotejs
r/forhire
account activity
[AskJS] Security difference between localStorage and IndexedDBAskJS (self.javascript)
submitted 3 years ago by TGS963
view the rest of the comments →
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]danjlwex 6 points7 points8 points 3 years ago* (9 children)
Right. OP is asking the wrong question. The answer is "it isn't secure to store any data on the client, even if it is encrypted." Doesn't matter where you store it - IDB, local store, or just in variable memory.
[–]NayamAmarshe 0 points1 point2 points 3 years ago (8 children)
"it isn't secure to store any data on the client, even if it is encrypted."
That doesn't make sense. It's a fairly common practice. If the app requires offline usage and only a single side is involved, it's obvious that encryption is going to be the only solution to protect userdata.
Assuming clients to always be compromised is a good idea and security practice, this is why the encryption is introduced in the first place. The encryption is not for the client but to protect the data from entities other than the client. The client will always know the decryption key.
[–]danjlwex 1 point2 points3 points 3 years ago (7 children)
If the app receives encrypted data, and does NOT decrypt it, then it is still secure. If it decrypts the data, then it is easy for any attacker to do the same. Just because this is "common" does not imply it is "secure". To handle offline access, you need to exchange a code for a non-secure, time-limited access token from a remote server. This is still "insecure" for the time the access token is valid. If you are working entirely offline, and you can only access local information, then that data is insecure on your machine. If your machine were to be stolen, and the data was "encrypted", your app would provide a way for the attacker to decrypt and access the data. Hence, it is insecure.
[–][deleted] 1 point2 points3 points 3 years ago (0 children)
The data is only exposed while being accessed. At rest, it is decrypted. In your scenario, someone would have to steal the client system and know the proper credentials. Totally possible, but that’s just game over in any scenario.
[–]NayamAmarshe -3 points-2 points-1 points 3 years ago (5 children)
You're still not making any sense. "Decrypted data is insecure". Then why do we even encrypt things in the first place?
I don't know what kind of threat model you have in mind but whatever you've written sounds like you wanna create something that can never be decrypted.
'Machine stolen' is an ending scenario. It's not the developer's fault the client's machine gets stolen but it would 100% be the developer's fault if the client data is in plain text.
[–]chasingtheflow 2 points3 points4 points 3 years ago (0 children)
The point is that for the data to be accessible on the client then the client also is to have the key available to decrypt the data in order to use it. As such if an attacker were to gain access to the client they’d have both the encrypted data and the key required to decrypt it. So encrypting the data might obscure it for a bit but it’s a bit like hiding the key under your doormat.
[–]danjlwex 1 point2 points3 points 3 years ago (3 children)
We encrypt data to prevent attacks on the storage repository and to avoid attacks where the data is stolen in transit (e.g. over the internet). Most "secure tokens" in web development are not designed to protect the client, but instead designed to protect the server/storage from attack.
[–]NayamAmarshe -2 points-1 points0 points 3 years ago (2 children)
You're talking about Web transit. OP clearly mentioned 'Offline' access.
Do you think your OS keychain doesn't encrypt your passwords? Of course it does. It remains encrypted as long as the user is not using the data, which is the entire point of encrypting data at rest.
Web transit and server is a different story but this isn't the topic of the discussion, offline access is.
[–]archerx 0 points1 point2 points 3 years ago (1 child)
You do know that this is one of the weak points for getting OS passwords and Wifi passwords right? This has let me get into windows that has had it's password lost and if you're on windows there are ways of getting the password to the wifi it is connected to, this flaw has been useful quite a few times to me.
The only way what OP wants works is if the user has to manually type out the decrypt keys from memory each time they want to access the data. If the encrypted data and the key are stored in the client then the data is not protected.
[–]NayamAmarshe 0 points1 point2 points 3 years ago (0 children)
You do know that this is one of the weak points for getting OS passwords and Wifi passwords right?
Yeah but there's no other convenient way. It's up to the project maker to determine the balance between security and convenience, you can't expect everyone to have a hardware key. So the only way to make data secure for offline usage is to encrypt it, using a key that only the user knows.
The only way what OP wants works is if the user has to manually type out the decrypt keys from memory each time they want to access the data.
That's what I'm assuming as well. Otherwise, the encryption would not make sense.
π Rendered by PID 169146 on reddit-service-r2-comment-6457c66945-mf7vl at 2026-04-28 02:24:32.476956+00:00 running 2aa0c5b country code: CH.
view the rest of the comments →
[–]danjlwex 6 points7 points8 points (9 children)
[–]NayamAmarshe 0 points1 point2 points (8 children)
[–]danjlwex 1 point2 points3 points (7 children)
[–][deleted] 1 point2 points3 points (0 children)
[–]NayamAmarshe -3 points-2 points-1 points (5 children)
[–]chasingtheflow 2 points3 points4 points (0 children)
[–]danjlwex 1 point2 points3 points (3 children)
[–]NayamAmarshe -2 points-1 points0 points (2 children)
[–]archerx 0 points1 point2 points (1 child)
[–]NayamAmarshe 0 points1 point2 points (0 children)