react-doctor/auth-token-in-web-storage
Auth token in web storage
- Category: Security
- Severity: warn
- Source:
oxlint-plugin-react-doctor - Framework: global
- Enabled when: always
- Default: Enabled
Validation prompt
Use this to decide whether a fired diagnostic is real or a false positive.
Confirm the reported code matches Auth token in web storage. Check the framework context and diagnostic message before suppressing it.
Fix prompt
Use this once validation confirms the diagnostic is real.
Don't persist auth tokens (JWTs, access/refresh tokens, secrets) in localStorage/sessionStorage; they're readable by any XSS. Use an HttpOnly cookie set by the server.
Related rules
More Security rules from the rules reference:
react-doctor/build-pipeline-secret-boundary: Installing dependencies while CI secrets are in the environment lets a malicious package's lifecycle script read those secrets, which risks supply-chain compromise.react-doctor/clickjacking-redirect-risk: A redirect target taken from caller input, or a privileged page that allows untrusted framing, lets attackers send users to malicious sites or trick them through clickjacking.react-doctor/command-execution-input-risk: Passing caller-controlled input into a shell command lets an attacker run arbitrary commands on your server (remote code execution).react-doctor/cors-cookie-trust-risk: Combining credentialed CORS with a wildcard or less-trusted origin, or scoping auth cookies to a parent domain, lets other sites or subdomains ride a user's session.react-doctor/dangerous-html-sink: Passing user- or request-derived data into an HTML sink like `dangerouslySetInnerHTML` or `innerHTML` without sanitizing it allows cross-site scripting.