Heys devs of Nostr, I have a serious question. If you are not a Nostr dev please repost or tag whomever you feel can help. Thanks in advance.
I am writing my own client. (React PWA) and right now I am dealing with how to store the nsec securely across sessions.
I thought to check how Iris and Snort deal with the issue and found out they both store they in plain text in localStorage.
I am by no means a security expert or a pen tester, but I was under the impression, that storing sensitive data in localStorage leaves the data vulnerable to XSS attacks, which in case of an nsec seems kinda dangerous, as there is no additional level of protection (like a password, 2fa or literally anything else), no way to replace the key and invalidate the old one.
Am I missing something here, or are both apps leaving users vulnerable to XSS attacks?
I myself havent found any better solution that does not require the use of browser extensions (which some browsers do not allow) given how the keys work right now. Does anybody have a decent solution?
ancapone / An Capone 🌗
npub136…pmepl
2023-08-17 04:06:41
Author Public Key
npub1363f98sscslf6hhq9gkh9fjhsvn8x7p4h6577sd969n9yhhgg7yqwpmeplPublished at
2023-08-17 04:06:41Event JSON
{
"id": "2567fd22d622747bba7efc8f6608551a460e83e58a1e41d7b9c3511ca4d1600d",
"pubkey": "8ea2929e10c43e9d5ee02a2d72a6578326737835bea9ef41a5d166525ee84788",
"created_at": 1692245201,
"kind": 1,
"tags": [],
"content": "Heys devs of Nostr, I have a serious question. If you are not a Nostr dev please repost or tag whomever you feel can help. Thanks in advance.\n\nI am writing my own client. (React PWA) and right now I am dealing with how to store the nsec securely across sessions.\n\nI thought to check how Iris and Snort deal with the issue and found out they both store they in plain text in localStorage.\n\nI am by no means a security expert or a pen tester, but I was under the impression, that storing sensitive data in localStorage leaves the data vulnerable to XSS attacks, which in case of an nsec seems kinda dangerous, as there is no additional level of protection (like a password, 2fa or literally anything else), no way to replace the key and invalidate the old one. \n\nAm I missing something here, or are both apps leaving users vulnerable to XSS attacks?\n\nI myself havent found any better solution that does not require the use of browser extensions (which some browsers do not allow) given how the keys work right now. Does anybody have a decent solution? ",
"sig": "1129c95c64e2faa324e894d77fcc8e01aa35f77846479689af58528de0ac5c5bde05e5d5da23d3ab9f22a17de4bdf6d1e4915ddc94bf1457f557705282061568"
}