Where do you store secrets in CLJS apps?

Hi there!
I’m starting adventure with frontend and Clojurescript, and want to make http calls to external API. Where should I store secrets in my application? Is storing in local storage safe?
Regards,
Paweł

It depends on what kind of secret you want to store. In general anything secret must remain on the server and never make it to the client in any way. There is no secure place to store it.

If you are talking a per-user “secret” like a session id or JWT token then they are all equally safe to store (eg. localStorage, cookies).

1 Like

Not sure what service you intend to call. But here is the doc for AWS: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-browser.html

In general, it is not secure to store secrets locally anywhere in the browser, except for the user keyring, but you can’t store into that directly I don’t think. The user has to enter their credentials in a form and choose to store them to the keyring.

So what normally happens is that the user enters their credentials temporarily in a form and that’s sent to a backend service (the creds are not stored persistently in the browser, so they are forgotten as soon as entered), now the backend service will perform authentication and authorization, and return a temporary credential, often called an auth token. You can then store that locally.

Even more so, the form page where the user enter his credentials to login and acquire the auth token must be handling them very well, so generally you want to use HTTPS and have a valid cert, and all kind of other measures on it.

Now, if you trust the other users of your computer, and trust the other programs running on it, and all webpages you visit, you could store secret locally unencrypted, but at your own risk or your user risks. Since that method is only secure if know one wants to hack you. It’s like leaving your house door unlocked at all time. You gotta trust your neighborhood.

Finally, you could store encrypted secrets locally. And ask the user to enter their decryption key every time. Basically creating a kind of local keyring on your own. That’s also a bit risky though. It’s very hard to do correctly.

Bottom line, the service you call must offer an auth mechanism, if not it won’t be secure storing their secrets locally.

There are no secrets. You can store session data. That can be used within the same channel as a key to state on the sever.

Two critical things.

  • Give the data very short lifetimes. Minutes. Less then the expected session length. Remove them and refresh them every few transactions. The right length of time and frequency are all “depends.” Explicitly remove them at log off, even though the time-to-live/expire will kill them eventually. You can’t trust someone to keep time correctly. Basically, presume they’re out to harm you.

  • Never use anything related to your servers or the users. Never create your own tokens either. Use a prebuilt PRNG. The java libraries have a secure random class. Use it for your keys. Don’t recreate the wheel. If possible, keep all of your keys in-memory on the server. Depending in your application, firewalling access to the keys in memory might be needed (unusual, but not too rare).

1 Like