npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@lookworld4/secure-browser-storage

v1.0.0

Published

Storage-like API over localStorage/sessionStorage with transparent AES-GCM encryption via the Web Crypto API.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

lookworld4lookworld4

Keywords

localStoragesessionStorageencryptionweb-cryptoaes-gcmbrowsersecurityclient-sidejwtstorage

Readme

@lookworld4/secure-browser-storage

localStorage / sessionStorage with transparent AES-256-GCM encryption via the Web Crypto API. Logical keys behave like normal storage keys; values are encrypted at rest.

Install

npm install @lookworld4/secure-browser-storage

Usage

Because encryption uses SubtleCrypto, getItem and setItem are asynchronous (Promise), unlike native Storage.

import {
  createSecureLocalStorage,
  createSecureSessionStorage,
} from "@lookworld4/secure-browser-storage";

const password = "... user passphrase or derived secret ...";

const local = await createSecureLocalStorage({ password });
await local.setItem("access_token", jwt);
const token = await local.getItem("access_token"); // string | null

const session = await createSecureSessionStorage({ password });
await session.setItem("cart", JSON.stringify(cart));

Options

| Option | Description | |--------|-------------| | password | Passphrase for PBKDF2 key derivation (default 250,000 iterations). Required unless you pass cryptoKey. | | cryptoKey | Your own 256-bit AES-GCM CryptoKey (skips PBKDF2 and salt metadata). | | namespace | Isolates salts and entries within the same Storage object (default "default"). | | pbkdf2Iterations | PBKDF2 iteration count (default 250_000). | | subtle | Inject SubtleCrypto (mainly for tests). |

Advanced: custom Storage

import { createSecureStorage } from "@lookworld4/secure-browser-storage";

const store = await createSecureStorage(myStorageImpl, { password: "..." });

Decryption errors

If the password is wrong or data was tampered with, getItem rejects with SecureStorageDecryptError.

Security notes

  • Not a substitute for HTTP-only cookies for session tokens when you need strict XSS isolation. Anything in the page can still use this API once your app has derived the key.
  • Does materially improve confidentiality of data at rest in the browser profile (disk, backups, casual inspection of Application storage) compared to plaintext JWTs or PII.
  • Client-side encryption cannot hide secrets from malicious code running in the same origin; combine with CSP, sanitization, and short-lived tokens as appropriate.

Requirements

Browsers (or environments) with localStorage / sessionStorage and crypto.subtle where you need them. Secure contexts (HTTPS or localhost) are required for SubtleCrypto in browsers.

License

MIT