How necessary is encrypting IndexedDB?

Question

I'm developing an app for a client and frontend security is a major concern. It's React on the frontend and Node on the backend.I've looked at all the Web Storage API's and IndexedDB seems the most promising, however all web storage is stored on disk unencrypted.Since I have access to the backend I generate the encryption key no problem, but since we only plan to have short lived sessions (~ 1 hour) and the delete the data locally, I'm wondering how to quantify the risks of leaving that data unencrypted.It seems that most websites that use IndexedDB, don't encrypt that data, and they have a much longer storage time.So, if you have any experience with this, I'd love to get your take on the cost/benefit of encrypting IndexedDB.Thanks

b-pixel · Accepted Answer

I&rsquo;d say it depends on the data being persisted. PII or any user data that is private in nature are good candidates for encryption regardless of session length. Other than that encryption is overkill.

joshxyz · Answer

Yea even web.telegram.org just uses localstorage directly. I think the basic is if the user's browser is already compromised, the device's user is mostly compromised, too, already