New
Introducing React Bench, see how different models perform on React code

react-doctor/auth-token-in-web-storage

Auth token in web storage

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: always
  • Default: Enabled

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Confirm the reported code matches Auth token in web storage. Check the framework context and diagnostic message before suppressing it.

Fix prompt

Use this once validation confirms the diagnostic is real.

Don't persist auth tokens (JWTs, access/refresh tokens, secrets) in localStorage/sessionStorage; they're readable by any XSS. Use an HttpOnly cookie set by the server.

More Security rules from the rules reference:

  • react-doctor/build-pipeline-secret-boundary: Installing dependencies while CI secrets are in the environment lets a malicious package's lifecycle script read those secrets, which risks supply-chain compromise.
  • react-doctor/clickjacking-redirect-risk: A redirect target taken from caller input, or a privileged page that allows untrusted framing, lets attackers send users to malicious sites or trick them through clickjacking.
  • react-doctor/command-execution-input-risk: Passing caller-controlled input into a shell command lets an attacker run arbitrary commands on your server (remote code execution).
  • react-doctor/cors-cookie-trust-risk: Combining credentialed CORS with a wildcard or less-trusted origin, or scoping auth cookies to a parent domain, lets other sites or subdomains ride a user's session.
  • react-doctor/dangerous-html-sink: Passing user- or request-derived data into an HTML sink like `dangerouslySetInnerHTML` or `innerHTML` without sanitizing it allows cross-site scripting.