Replying to Avatar lemon

nostr:nprofile1qy2hwumn8ghj76rfwd6zumn0wd68ytnvv9hxgqghwaehxw309ahxverz9ehx7umhdpjhyefwvdhk6qpq2262qa4uhw7u8gdwlgmntqtv7aye8vdcmvszkqwgs0zchel6mz7s4pc3yf

if I make a PWA client, how can I securely store a private key so that it's not susceptible to simple XSS attacks?

localStorage is not secure enough for something so sensitive

Avatar
semisol 8mo ago

Have 2 domains. app.example and sign.app.example

On sign.app.example, it acts as an in browser signer for app.example in a hidden iframe (you do not need users to visit it directly) while always validating the parent is app.example.

If app.example is broken they can’t break the sign subdomain

Reply to this note

Please Login to reply.

Discussion

No replies yet.