I am working on the angular Django rest framework project and I need to store the primary key of the user in local storage after login for feature operations. But I have noticed that it is visible in the browser and also any javascript developer can edit it. How do I make my app secure?
-Encrypt the primary key and then store it in local storage? But which method is best for this encryption and decryption?
Any other solutions?
CodePudding user response:
Do NOT trust the client's browser to handle your security.
The key will always be visible publicly, no matter what. If you encrypt it, one can find the encryption code and simply revert it, or log the clear key before its encryption.
But it's not a "bad" thing to have your key visible in JS.
The goal is for the key to be securely created in the server, then sending it to the browser.
This is how tokens work most of the time. You can even see their content, but they have a secret signature that only the server knows about, making them a source of truth : if one tries to edit it, the server can check if the signature is valid (which will not be after edit), then act accordingly.
In short : do not care about the clear key in the browser, as long as it has been created securely on the server.