I guess this depends on how secure you want to be… do you mean having access to a secure element or something similar?
Discussion
More secure than localstorage in js, but still on the user’s device so I don’t have to store it in a database that I own
I guess the main issue with local storage is the same with any other browser storage - a successful XSS attack could read the data. So probably encrypting with a passphrase would be the way to go? Or relying on a remote signer
Yeah, maybe I’ll try encrypting with passcode
I shall report back 🫡
if I make a PWA client, how can I securely store a private key so that it's not susceptible to simple XSS attacks?
localStorage is not secure enough for something so sensitive
Have 2 domains. app.example and sign.app.example
On sign.app.example, it acts as an in browser signer for app.example in a hidden iframe (you do not need users to visit it directly) while always validating the parent is app.example.
If app.example is broken they can’t break the sign subdomain
Curious why you'd want the PWA to store private keys in the first place?