Is it secure to store email and password in a component state for handling input values?

Question

I'm building a very big website project in ReactJS which handles money so I'm kinda paranoid when talking security.

I have a Login component which has a state composed by "email" and "password". Those values are populated by typing in the corresponding input field. The actual login structure is very secure anyway because I'm using jwt with public and private key and a CSRF token.

My problem is that I don't know how secure is to store email and password in the local state. Can it be easily accessible by cross-site scripting or can it only be visible by a React Chrome extension? From what I know, state should not be persistent. Can anyone solve my doubt?

(please don't hate me for some English mistakes, I'm italian so "mamma mia pizzeria")

Answer 1

to store email and password in the local state

This is a very bad idea. Storing sensitive data on client is always risky as it can be retrieved using dev tools. It will be time consuming but achievable. And since your product deals with money, you should be paranoid.

A better way would be to create a login form and on success, send a CSRF_TOKEN or any hash. Store this hash and validate it for every request along with IP or any other unique generated value.

Ideally, you should not save UserName/Email and Password. If you wish to display user name or username for greeting, keep a Nickname property in User class and use it. That way you are not exposing any important information.

Email is also a vital information as someone can send a fishing email and trick user into giving important details. You can look into Secure Cookies and other ways, but storing on local state/ local store is always bad