WebOptions
Specific options for the Web platform for secure storage.
Configures database, encryption, and storage behavior on web platforms.
Properties
-
db_name(str) –The name of the database used for secure storage.
-
public_key(str) –The public key used for encryption.
-
use_session_storage(bool) –Whether to use session storage instead of local storage.
-
wrap_key(str) –The key used to wrap the encryption key.
-
wrap_key_iv(str) –The initialization vector (IV) used for the wrap key.
Properties#
class-attribute
instance-attribute
#
db_name: str = 'FletEncryptedStorage'
The name of the database used for secure storage.
class-attribute
instance-attribute
#
public_key: str = 'FletSecureStorage'
The public key used for encryption.
class-attribute
instance-attribute
#
use_session_storage: bool = False
Whether to use session storage instead of local storage.
Important Security Considerations#
SecureStorage uses an experimental implementation using WebCrypto API. Use at your own risk. The browser creates the private key, and encrypted strings in localStorage are not portable to other browsers or machines and will only work on the same domain.
You MUST have HTTP Strict Forward Secrecy enabled and proper headers applied to your responses, or you could be subject to JavaScript hijacking.
Required security measures:
- Enable HSTS (HTTP Strict Transport Security)
- Use proper security headers
References:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
- https://www.netsparker.com/blog/web-security/http-security-headers/
Application-Specific Key Wrapping#
On web, all keys are stored in LocalStorage. You can wrap this stored key with an application-specific key to make it more difficult to analyze: