Javascript Vue or React storing sensitive information client side safety

Question

As an example I have a Vue.js application. When the app is loaded, I fetch some sensitive data from the server over HTTPS and store it in the Vuex Store client side.

Is there any way someone can read that data via the Developer Tools in the browser or some other way? Is it safe? Is there any way for someone to write to the Vuex Store in the same manner?

Answer 1

The developer console can be considered part of the application in this regard. Anything you could do in code can be done on the console as well. If your app can access something, so can the user.

And it's even worse than that. Even if your user doesn't care about client-side stores, because it's his data anyway, if your app is vulnerable to XSS, a malicious user exploiting it can also access any data in client-side stores.

In addition to that, if you store something on the client, it may get written to disk (cookies, websql, and so on). So if the attacker has access to the client PC even outside the context of the application, he will also be able to access such data.

So in short, simply don't persist sensitive data on the client.

Answer 2

Is there any way someone can read that data via the Developer Tools in the browser or some other way?

Yes. All you need is a reference to a Vue component, then you can access its $store property.

In dev tools, select an element in the DOM corresponding to a Vue component. Then in the console, enter:

$0.__vue__.$store

and you have access to the Vuex store. $0 corresponds to the selected DOM element.

In general, you should always assume that all client-side data can be accessible by the user in one way or another. There may be ways you can "hide" this data, or make it more difficult to access.