CRITICAL: Credentials stored in localStorage

## Security Finding

**Severity:** CRITICAL  
**Location:** `src/utils/confluenceSync.js:25-49`  
**CWE:** CWE-922 (Insecure Storage of Sensitive Information)

## Description

Confluence API credentials and entry mappings are stored in localStorage, which is:
- Accessible via XSS attacks
- Not protected by HttpOnly flag
- Not encrypted
- Readable by any JavaScript on the page

## Current Code

```javascript
export function saveEntryIdMappings(mappings) {
  entryIdMappings = { ...entryIdMappings, ...mappings };
  localStorage.setItem('confluence-entry-mappings', JSON.stringify(entryIdMappings));
}
```

## Recommended Fix

1. Move credential storage to server-side sessions
2. Use httpOnly, Secure, SameSite cookies for session tokens
3. Never store tokens client-side in localStorage
4. Implement proper backend authentication

## References

- Arcanum Anti-Patterns: Authentication Failures (Priority #5)
- OWASP: Sensitive Data Exposure

---
*Found by Arcanum sec-context security review*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CRITICAL: Credentials stored in localStorage #72

Security Finding

Description

Current Code

Recommended Fix

References

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

CRITICAL: Credentials stored in localStorage #72

Description

Security Finding

Description

Current Code

Recommended Fix

References

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions