Is Redux secure?

2020-06-18 04:02发布

问题:

I'm learning Redux and I can see people storing all kinds of information into the state and doing all kinds of different operations through reducers. But is Redux secure or is there any known vulnerabilities of using Redux? If there are then are there any best practices that I can follow to secure the state?

回答1:

Is it not a good idea to save passwords and sensitive information in your redux store. When you go into production, definitely turn off the redux-devtools setting because if you don't then anyone can see your whole application state with the chrome extension (if you care about hiding your app state). You have to be especially careful if you are syncing your state to something like local storage as well. In general, send passwords or sensitive info right to the server in an encrypted fashion.



回答2:

Maybe let's change the question - does keeping any data in the client side is safe? And answer is no. Any kind of secret data should never exist in the front side. State management system will not change the app security. Even if you have encapsulated state the data can be catched by watching the network and data coming to the browser or by traversing html because most of the data in the front side is just used in the view. So, really any kind of data which gets to the browser should be considered as fully transparent and only the backend can really secure what is given and what not.



标签: redux