Will It Vibe?
SEC-021High severity-15 points

Sensitive token stored in localStorage

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

localStorage is readable by any script on the page (XSS-exposed); tokens/passwords stored there are easily stolen.

Why it matters

Everything in localStorage is readable by any JavaScript running on the page, so one XSS bug or one compromised third-party script can exfiltrate every stored token. Unlike cookies, there is no httpOnly option to shield it. A stolen session token replays until it expires.

How to fix it

Keep session tokens out of script-readable storage: have the server set an httpOnly, Secure, SameSite cookie and authenticate requests with it. If you must handle a bearer token in JavaScript, hold it in memory only and refresh it through an httpOnly cookie flow. Remove the localStorage reads and writes for these keys together.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks