IMAP credentials in WEB (browser) app - how to use securely



  • I need to send and check email (via IMAP email servers) from my web app. Storing credentials on server seems like problem as they are almost always plain text.

    So if I store them in client browser's storage how security risk this could be? Is there any way to make this secure without access to OS security enclaves like native apps have?

    I think other than Google who uses oauth any other provider probably allow access to IMAP with just plain text.

    Thank you



  • Based on the comments following the question:

    You might want to consider encrypting the IMAP credentials on the client-side (in-browser, using the javascript web crypto api), using an encryption key generated client-side, then storing the encrypted credentials on the server. This way, the server stores only the encrypted credentials, not the plaintext credentials; and the key for decrypting the credentials never leaves the browser.

    As for storing the key for decrypting the credentials - see https://crypto.stackexchange.com/questions/35530/where-and-how-to-store-private-keys-in-web-applications-for-private-messaging-wi/52488#52488 for a solution for storing the key securely in the browser's indexedDB storage.

    When it comes time to login to the IMAP server from the client, the client simply fetches the encrypted IMAP credentials from the server, and retrieves the key from the browser's IndexedDB storage, and uses the key to decrypt the credentials.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 3
  • 2