Are API Tokens Safe in Flux Storage (Redux)?

Question

Are API Tokens Safe in Flux Storage (Redux)?

Is it possible to store the API token returned by the authentication call in the Flux store (in particular, Redux)? I used Webpack to compile all the assets in the project, which, in my opinion, means that the repository is not accessible from third-party scripts that want to read the repository and extract the token.

And, for what it's worth, the token is sent via HTTPS in the Authorization: bearer ... .

+7

node.js reactjs redux flux

Carson Sep 22 '15 at 16:52

source share

1 answer

Trevor freeman · Answer 1 · 2015-09-22T17:05:12+0000

If untrusted third-party scripts are running on the page, you should assume that nothing is safe, because the whole integrity of the page is compromised.

If only trusted scripts work, you can assume that your token is safe, taking into account browser security and how secure your site is against XSS attacks.

EDIT:

To clarify, this is security from third-party scripts. If you are trying to hide your token from the user himself, then the answer will be that it will always be insecure, no matter how confusing your code is, because if the user computer has access to it, then in the end the user can get access to it (you can make it more difficult, but not impossible).

Are API Tokens Safe in Flux Storage (Redux)?

More articles: