All security checks
Vulnerability DetectionA02:2021A07:2021

Browser Storage & Session Token Scanner

Detect JWTs, refresh tokens, and session identifiers stored in localStorage or sessionStorage.

Browser-readable storage is a risky place for long-lived authentication tokens. This scanner analyzes HTML and same-origin JavaScript bundles for token-like keys stored in localStorage or sessionStorage, including Supabase session persistence patterns.

What this scanner does

Fetches public pages and same-origin script bundles without executing JavaScript. Searches for token-like localStorage/sessionStorage usage and flags access tokens, refresh tokens, JWTs, and persistent Supabase session storage.

Why it matters

One XSS flaw or compromised third-party script can read localStorage and sessionStorage. If refresh tokens live there, a short script injection can turn into durable account takeover.

Common findings

  • Refresh token persisted in localStorage
  • JWT stored in sessionStorage
  • Supabase session persistence in browser-readable storage
  • Token-like client storage keys in JavaScript bundles

OWASP Top 10 coverage

A02:2021Cryptographic Failures
A07:2021Identification & Authentication Failures

Run this check on your site

Get a full security report with remediation guidance in 30 seconds. No setup required.

Scan your site freeView pricing

Related security checks

Vulnerability Detection

Cross-Site Scripting (XSS) Scanner

Find XSS vulnerabilities that could let attackers inject malicious scripts into your pages.

Configuration Audit

Cookie & Session Security Scanner

Audit cookie flags, session management, and token security for your application.

Vulnerability Detection

JWT Security Audit

Analyze JSON Web Tokens for weak algorithms, key exposure, and implementation flaws.

All security checksSecurity blog