Ahead in 2020: Preparing for new mechanisms that will help secure APIs
Possible issues with handling cookies
Securing localStorage is only a matter of time
So, we have a situation where many, many developers are doing a bad security thing because the right thing to do is hard and non-obvious. That’s why I believe that in the year ahead browser vendors will begin to recognize the need to roll out mitigations to help secure localStorage, adding in the moral equivalent of all the mechanisms cookies have been gifted over the last 20 years. Cookies started out with many of the same security vulnerability localStorage originally had, and only through bolt-ons like the
SameSite flags have they acquired all the properties that make them a better choice than localStorage for JWTs. It’s only a matter of time before localStorage is similarly secured by adding new mechanisms to declare which scripts should be allowed to read and write which values in the store – solving major headaches for developers everywhere.
SEE ALSO: Software development trends for 2020
Ideally, this happens before a spate of attacks exploiting the common, insecure practice. But nothing galvanizes a response like a wave of unflattering media coverage, so it’s just as likely that 2020 is the year of the localStorage exploit and 2021 is the year of the response.