Missing User Warnings
Medium
- Confidence
- 93% confidence
- Finding
- The guidance explicitly demonstrates storing an auth token in localStorage, which makes the token persist in browser storage and exposes it to any JavaScript running in the origin, including code injected through XSS or a compromised sub-application. In a micro-frontend architecture, multiple independently deployed apps share the same browser context, which increases the attack surface and makes this recommendation more dangerous than in a simpler single-app setup.
