Browser Storage Inspector
Inspect localStorage and sessionStorage JSON dumps for security issues, sensitive data exposure, expired tokens, and storage anti-patterns
Paste a JSON object from JSON.stringify(localStorage) or JSON.stringify(sessionStorage). Warn at 500KB, maximum 5MB.
What is the Browser Storage Inspector?
The Browser Storage Inspector analyzes localStorage and sessionStorage
JSON dumps for security vulnerabilities, excessive usage, and sensitive data exposure. It detects
authentication tokens, passwords, API keys, PII, expired credentials, and storage anti-patterns —
then calculates a security score with actionable recommendations.
How to Use
- Open your browser's DevTools (F12 or Cmd+Option+I)
- In the Console tab, run
JSON.stringify(localStorage)orJSON.stringify(sessionStorage) - Copy the output and paste it into the input field
- Click "Inspect" or wait for automatic analysis
- Review findings with severity ratings and follow recommendations
Example: Insecure Storage
This storage dump contains several security issues:
{
"auth_token": "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiam9obiIsImV4cCI6MTcwMDAwMDAwMH0.abc",
"user_password": "MyS3cretP@ss!",
"api_key": "sk-proj-abcdef1234567890abcdef",
"AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
"debug_mode": "true",
"user_email": "john.doe@company.com"
}What Issues Are Detected?
- JWT Tokens — Authentication tokens vulnerable to XSS theft
- Passwords & Secrets — Credentials that should never be client-side
- API Keys — Client secrets and API keys exposed to JavaScript
- Cloud Credentials — AWS keys, GitHub tokens in browser storage
- PII — Email addresses, phone numbers, SSNs, credit card numbers
- Expired Tokens — JWT tokens past their expiration time
- Oversized Values — Individual keys consuming excessive storage quota
- Debug Data — Development artifacts left in production storage
- Missing Namespaces — Keys without prefixes risking third-party collisions
Why Browser Storage Is Risky for Sensitive Data
Browser storage (localStorage and sessionStorage) is accessible to
any JavaScript running on your page. If your site has an XSS vulnerability — even from a
third-party script — attackers can read all stored values. Unlike httpOnly cookies,
there is no browser mechanism to protect storage from JavaScript access.
Secure Alternatives
- httpOnly Cookies — For authentication tokens (immune to XSS JavaScript access)
- sessionStorage — For temporary data (cleared when tab closes, not shared across tabs)
- IndexedDB — For large structured data that needs client-side persistence
- In-memory variables — For sensitive data that should not survive page refresh
- WebCrypto API — For cryptographic keys with non-extractable flag
Privacy and Security
All inspection happens entirely in your browser using JavaScript. Your storage data — which may contain authentication tokens, credentials, and personal information — is never transmitted to any server. No data is stored, logged, or shared. This is critical since browser storage often contains sensitive production data.
Frequently Asked Questions
What does the Browser Storage Inspector detect?
The inspector analyzes localStorage and sessionStorage dumps for security issues including: JWT tokens, passwords, API keys, AWS credentials, GitHub tokens, private keys, credit card numbers, PII (emails, phone numbers, SSNs), expired tokens, excessive storage usage, oversized keys, and suspicious key patterns like debug data left in production.
How do I export my browser storage for analysis?
Open your browser's DevTools (F12), go to the Console tab, and run: JSON.stringify(localStorage) or JSON.stringify(sessionStorage). Copy the resulting JSON string and paste it into the tool input. You can also use the Application tab in DevTools to view storage contents.
Why is storing JWT tokens in localStorage a security risk?
localStorage is accessible to any JavaScript running on your page, including scripts injected via XSS (Cross-Site Scripting) attacks. If an attacker injects malicious JavaScript, they can read all localStorage values and steal authentication tokens. httpOnly cookies are immune to JavaScript access, making them safer for token storage.
Is my storage data sent to a server?
No. All inspection happens entirely in your browser using JavaScript. Your storage data — which may contain tokens, credentials, and personal information — is never transmitted to any server. No data is stored, logged, or shared.
How is the security score calculated?
The score starts at 100 and deducts points based on finding severity: Critical issues (passwords, private keys, AWS credentials) deduct 25 points each, High severity (JWT tokens, API keys) deduct 15 points, Medium (expired tokens, PII) deduct 8 points, and Low (oversized keys, debug data) deduct 3 points.
What format should the input be in?
The input should be a JSON object with string key-value pairs, exactly as returned by JSON.stringify(localStorage). For example: {"user_token": "eyJ...", "theme": "dark", "cart": "[...]"}. Arrays and primitive values are not valid — the tool expects a flat key-value object.
Why are expired tokens a security concern?
Expired tokens indicate that your application is not cleaning up authentication state properly. Stale tokens waste storage space and could be replayed if a server does not properly validate expiration. They also reveal information about your authentication flow to anyone inspecting storage.
What is the recommended alternative to localStorage for sensitive data?
Use httpOnly cookies for authentication tokens (immune to XSS), sessionStorage for temporary data that should not persist across tabs, IndexedDB for large structured data, and in-memory variables for sensitive data that should not survive page refreshes. For cryptographic keys, use the WebCrypto API with non-extractable keys.
What are namespace collisions in browser storage?
Since localStorage is shared across all scripts on the same origin, different libraries or applications might use the same key names (like 'token' or 'user'). Using namespace prefixes (e.g., 'myapp.token', 'myapp:user') prevents third-party scripts from accidentally overwriting your data.