Sensitive token stored in localStorage
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
localStorage is readable by any script on the page (XSS-exposed); tokens/passwords stored there are easily stolen.
Why it matters
Everything in localStorage is readable by any JavaScript running on the page, so one XSS bug or one compromised third-party script can exfiltrate every stored token. Unlike cookies, there is no httpOnly option to shield it. A stolen session token replays until it expires.
How to fix it
Keep session tokens out of script-readable storage: have the server set an httpOnly, Secure, SameSite cookie and authenticate requests with it. If you must handle a bearer token in JavaScript, hold it in memory only and refresh it through an httpOnly cookie flow. Remove the localStorage reads and writes for these keys together.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo