Auth token stored in localStorage/sessionStorage
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
An authentication token is written to localStorage or sessionStorage, which any script on the page (including an injected one) can read, so any XSS becomes token theft.
Why it matters
localStorage and sessionStorage are readable by any JavaScript running on the page, so a token kept there is exposed to any cross-site scripting bug or compromised third-party script, which can read it and send it anywhere. Unlike a cookie, there is no HttpOnly option to shield it. A stolen token replays until it expires.
How to fix it
Keep session and auth tokens out of web storage. Have the server set the token in an HttpOnly, Secure, SameSite cookie and authenticate from that. If you must handle a bearer token in JavaScript, hold it only in memory (a module variable or closure) and obtain it through an HttpOnly refresh-cookie flow, never persisting it to storage.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo