Learn how to use the Web Crypto API and CryptoJS to encrypt and decrypt local storage and cookies in HTML5. Protect your data from hackers and XSS attacks.

According to MDN web docs, the Web Crypto API provides a number of low-level cryptographic primitives. It's very easy to misuse them, and the pitfalls involved can be very subtle.

All
HTML

How do you encrypt local storage data in HTML5?

If you want to store sensitive data on the user's browser, you might be wondering how to encrypt local storage data in HTML5. Local storage and cookies are two common methods of storing data on the client side, but they are not secure by default. Anyone with access to the browser can view or modify the data, and hackers can exploit cross-site scripting (XSS) attacks to steal the data. In this article, you will learn how to encrypt local storage data in HTML5 using the Web Crypto API and the CryptoJS library.

1 Web Crypto API

The Web Crypto API is a native JavaScript API that provides cryptographic functions for web applications. It supports various algorithms for encryption, decryption, hashing, signing, and verification. You can use the Web Crypto API to generate random keys, encrypt and decrypt data, and store the keys securely in the browser. To use the Web Crypto API, you need to access the crypto or window.crypto object, which exposes a subtle property that contains the cryptographic methods.

Add your perspective

Shraddha -

Software Engineer | Typescript | Python | React | NodeJS | PostgreSQL
(edited)
Report contribution
According to MDN web docs, the Web Crypto API provides a number of low-level cryptographic primitives. It's very easy to misuse them, and the pitfalls involved can be very subtle.

Like

2 CryptoJS library

CryptoJS is a popular JavaScript library that implements various cryptographic algorithms and utilities. It is compatible with the Web Crypto API and can be used to encrypt and decrypt data using different modes and padding schemes. You can use CryptoJS to convert data between different formats, such as strings, hex, base64, and words. To use CryptoJS, you need to include the library in your HTML file or import it as a module in your JavaScript file.

Add your perspective

3 Encrypting local storage data

To encrypt local storage data in HTML5, you need to generate a random key using the Web Crypto API's crypto.subtle.generateKey method and export it as a raw format. Convert the key to a base64 string with CryptoJS.enc.Base64.stringify and store it in local storage with the localStorage.setItem method. Then, use the CryptoJS.AES.encrypt method to encrypt the data, specifying the mode, padding, and initialization vector (IV) for the encryption in an optional configuration object. Finally, convert the cipher text object to a string with the toString method and store it in local storage with localStorage.setItem.

Add your perspective

Ravil Nugmanov

Founder, Software Architect at One-Way Automation
Report contribution
So, you suggest saving the encryption key right next to the data encrypted with it. Question: what would prevent the hacker to get that key and use it to decrypt that data?

Like
Leon Brown

Full stack software developer and trainer. Web applications, database systems, e-commerce and e-learning.
Report contribution
An important question to ask is whether client side storage is suitable? Despite passwords being encrypted in server side databases, people are still asked to change their passwords anytime there's been a security breach because of the fear that stolen data can be decrypted. Even with one way encryption, hackers can still use a dictionary based algorithm to identify encrypted information.

Like

4 Decrypting local storage data

To decrypt local storage data in HTML5, you must first retrieve the key from the local storage using the localStorage.getItem method, which you can use with the same name that you used to store the key. Then, convert the key from a base64 string to an ArrayBuffer via CryptoJS.enc.Base64.parse method, which decodes the key data. After that, import the key as a raw format using crypto.subtle.importKey method to return a key object that matches the algorithm and usage that you used to generate the key. Next, retrieve the encrypted data from local storage using localStorage.getItem method, again using the same name that you used to store it. Convert this encrypted data from a string to a cipher text object using CryptoJS.AES.decrypt method with data, key, and an optional configuration object as arguments for specifying mode, padding, and IV for decryption. This will return a plain text object containing decrypted data and IV. Finally, convert this plain text object to a string with the toString method to decode plain text and IV as UTF-8 string, before using the decrypted data as needed in your application.

Add your perspective

5 Encrypting cookies

To encrypt cookies in HTML5, you can use a similar approach as encrypting local storage data. However, instead of storing the key and the encrypted data in the local storage, you need to store them as cookies using the document.cookie property. You also need to specify some attributes for the cookies, such as the name, value, expiration date, path, domain, and secure flag. To encrypt and decrypt cookies, you can use the same methods from the Web Crypto API and the CryptoJS library as described above.

Add your perspective

How do you encrypt local storage data in HTML5?

1

2

3

4

5

1 Web Crypto API

2 CryptoJS library

3 Encrypting local storage data

4 Decrypting local storage data

5 Encrypting cookies

HTML

Rate this article

Thanks for your feedback

More articles on HTML

More relevant reading