Client-side encrypted cookies (beta)

Harden your web apps with this simple to integrate JavaScript API.


With our simple drop-in API you can easily read and write cookies that are secured with 256-bit AES encryption. Encryption happens client-side using a client secret such as a password, supplemental passphrase, or application generated value. This gives the user truly private data in any application you build.

Using the API

To begin reading and writing encrypted cookies, you need to sign-up for a developer account and receive your sub-token. This provides your applications with a seed key which is used to derive a strong key from a weak secret.

1. Include encrypt.js in your page. This gives you access to the cookie encryption and decryption functions.

<script type="text/javascript"

2. Obtain the seed key via cross-domain REST call to the API. Simply paste the following code into your HTML, providing your sub-token in the call to ssxdom().

<script type="text/javascript">
    ssxdom('__YOUR_SUB_TOKEN__') );

3. Now, you're ready to read and write encrypted cookies. To save encrypted cookies make the following function call.

setSecureCookie(secret, cookieName, cookieVal);

secret in the above call is any client-side secret. It may be the user's password, an additional passphrase (preferred), or an application generated value.

Note Using a client-known passphrase ensures that only your user has access to the data stored in the cookie. This can provide an additional layer of privacy for users of your application by storing certain data only client-side.

To decrypt and read the cookie with cookieName, make the following call. secret is the same client-known value that was used in the call to setSecureCookie().

var cookieVal = getSecureCookie(secret, cookieName);

The above call sets cookieVal to the clear, i.e. decrypted, value of the cookie.

Security details

Data is encrypted with 256-bit AES encryption using CBC mode. This means that even if your cookie data is redundant or guessable, it can't be guessed from the encrypted output. AES stands for the Advanced Encryption Standard and is adopted by the U.S. Government as a secure encryption technology.

Keys are derived from a strong, random 256-bit salt value (the 'seed key') and combined with a weaker, easier to remember user secret. The result is hashed 1,000 times resulting in a computationally difficult key that encrypts the user data.

Cookies are stored on user machines in a strong encrypted format. Since the data is encrypted with a user secret and stored locally, this data is truly user-private. It can be used to strengthen security against MITM attacks, or even as a way to provide another layer of privacy for users of your applications.

Login/Signup with OpenID

| [More providers soon]