JavaScript Can't Keep a Secret

Learn why we should never store private information on the client, including in URLs.

Client-side secrets are common

In 2022, RedHunt Labs (an information security company) performed a study on secrets exposed via client-side web applications. They were able to capture a staggering number of secrets from the top one million internet domains, a staggering 395,713. Many secrets had to do with managing authentication like API keys or cryptographic secrets including Stripe tokens, Google reCAPTCHA keys, Google Cloud API keys, AWS keys, and Facebook tokens.

Get hands-on with 1200+ tech skills courses.