Critiq Docs
Get started
security.authentication

Avoid browser token storage

Access and session tokens should not be stored in long-lived browser storage.

#Metadata

Rule ID
ts.security.browser-token-storage
Severity
medium
Confidence
0.88
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
authentication, rules-catalog, security, storage

#Why it matters

Long-lived browser storage exposes tokens to script access and increases the impact of XSS or device compromise.

#Remediation

Keep tokens in HttpOnly cookies or in memory, and avoid long-lived cleartext browser storage.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.browser-token-storage.rule.yaml.

Back to registryOpen rule in repository