DEV Community: Abdullah Al Fahim The latest articles on DEV Community by Abdullah Al Fahim (@abfahimb). https://dev.to/abfahimb https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3960831%2Fd898c65d-9e5b-42b0-848d-ef51b5160e27.png DEV Community: Abdullah Al Fahim https://dev.to/abfahimb en Stop Storing Plaintext in Browser Cookies — Use AES-GCM Encryption Instead Abdullah Al Fahim Sun, 31 May 2026 06:58:01 +0000 https://dev.to/abfahimb/stop-storing-plaintext-in-browser-cookies-use-aes-gcm-encryption-instead-2i5n https://dev.to/abfahimb/stop-storing-plaintext-in-browser-cookies-use-aes-gcm-encryption-instead-2i5n <p>If any of them look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"userId"</span><span class="p">:</span><span class="mi">42</span><span class="p">,</span><span class="nl">"role"</span><span class="p">:</span><span class="s2">"admin"</span><span class="p">,</span><span class="nl">"email"</span><span class="p">:</span><span class="s2">"user@example.com"</span><span class="p">,</span><span class="nl">"plan"</span><span class="p">:</span><span class="s2">"pro"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>You have a problem.</p> <p>Anyone who can access that browser — a shared computer, a browser extension, a shoulder-surfer, an XSS payload — can read everything you stored. No hacking required. It's just... there.</p> <p>Today I'm going to show you how to fix it in under 5 minutes using <strong>js-cookie-encrypt</strong> — the only actively maintained, zero-dependency, client-side encrypted cookie library built on the browser's native <code>SubtleCrypto</code> API.</p> <h2> The Problem With Cookies Today </h2> <p>Browser cookies are the backbone of web sessions. Nearly every framework uses them to track authentication state, user preferences, feature flags, and shopping carts. They're fast, they work across tabs, they survive page reloads.</p> <p>But they have one glaring flaw: <strong>they're stored in plaintext by default.</strong></p> <p>The most popular cookie library, <code>js-cookie</code>, has <strong>23 million weekly downloads</strong>. It's excellent. But it does zero encryption. Same story for <code>universal-cookie</code> (1.8M weekly downloads) and every other client-side cookie manager I've found.</p> <p>The server-side world has <code>secure-cookie</code> and <code>cookie-encrypter</code> — but those are Express middleware. They don't help you in a React SPA, a Next.js client component, or a Vue app.</p> <p><code>crypto-js</code> has encryption algorithms — but it's been <strong>abandoned by its maintainers</strong> and carries 300KB+ of algorithms you'll never use.</p> <p>So developers are left with three bad options:</p> <ol> <li>Store plaintext (everyone does this)</li> <li>Roll their own encryption (error-prone, usually wrong)</li> <li>Use an abandoned library (crypto-js)</li> </ol> <p>There's a fourth option now.</p> <h2> Introducing js-cookie-encrypt </h2> <p><code>js-cookie-encrypt</code> fills the gap that's existed in the frontend ecosystem for years: a lightweight, actively maintained, <strong>client-side encrypted cookie library</strong> built on the browser's native Web Cryptography API.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>js-cookie-encrypt </code></pre> </div> <p>Here's what your cookies look like after:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gcm:aGVsbG8td29ybGQtdGhpcy1pcy1lbmNyeXB0ZWQtd2l0aC1hZXMtZ2NtLTI1Ni1iaXQ... </code></pre> </div> <p>Unreadable. Authenticated. Tamper-proof.</p> <h2> Why Native SubtleCrypto Instead of crypto-js? </h2> <p>Most encrypted cookie libraries reach for <code>crypto-js</code>. Don't.</p> <p>The browser has had a built-in cryptography API since 2013 — <code>window.crypto.subtle</code>. It:</p> <ul> <li>Ships in every modern browser with zero bundle cost</li> <li>Runs in a separate thread (non-blocking)</li> <li>Uses hardware acceleration where available</li> <li>Is maintained by browser vendors, not abandoned npm packages</li> <li>Implements AES-GCM with authenticated encryption (tamper detection built in)</li> </ul> <p><code>js-cookie-encrypt</code> uses <code>SubtleCrypto</code> directly. No crypto library dependency. <strong>Zero dependencies total.</strong></p> <h2> Getting Started </h2> <h3> Installation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>js-cookie-encrypt <span class="c"># yarn add js-cookie-encrypt</span> <span class="c"># pnpm add js-cookie-encrypt</span> </code></pre> </div> <p>CDN:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"https://cdn.jsdelivr.net/npm/js-cookie-encrypt/dist/js-cookie-encrypt.min.js"</span><span class="nt">&gt;&lt;/script&gt;</span> </code></pre> </div> <h3> Basic Usage </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">JsCookieEncrypt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">js-cookie-encrypt</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">store</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JsCookieEncrypt</span><span class="p">({</span> <span class="na">storageKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">,</span> <span class="na">cryptoConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">privateKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">your-secret-key</span><span class="dl">'</span><span class="p">,</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">aes-gcm</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Write encrypted</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">setAsync</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="mi">42</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user@example.com</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// Read decrypted</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">getAsync</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">session</span><span class="p">?.</span><span class="nx">role</span><span class="p">);</span> <span class="c1">// 'admin'</span> </code></pre> </div> <p>That's it. Everything in the cookie is now AES-GCM 256-bit encrypted. The data in DevTools is an unreadable ciphertext blob.</p> <h2> TypeScript-First Design </h2> <p>Every API is fully generic. You get autocomplete, type checking, and compile-time errors — not just <code>any</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">UserSession</span> <span class="p">{</span> <span class="nl">userId</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">guest</span><span class="dl">'</span><span class="p">;</span> <span class="nl">preferences</span><span class="p">:</span> <span class="p">{</span> <span class="na">theme</span><span class="p">:</span> <span class="dl">'</span><span class="s1">dark</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">light</span><span class="dl">'</span><span class="p">;</span> <span class="nl">language</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">};</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">JsCookieEncrypt</span><span class="o">&lt;</span><span class="nx">UserSession</span><span class="o">&gt;</span><span class="p">({</span> <span class="na">storageKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">,</span> <span class="na">cryptoConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">privateKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">secret</span><span class="dl">'</span><span class="p">,</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">aes-gcm</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// TypeScript knows the shape of everything</span> <span class="kd">const</span> <span class="nx">role</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">session</span><span class="p">.</span><span class="nf">getAsync</span><span class="p">(</span><span class="dl">'</span><span class="s1">role</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// typed as 'admin' | 'user' | 'guest'</span> <span class="kd">const</span> <span class="nx">theme</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">session</span><span class="p">.</span><span class="nf">getByPathAsync</span><span class="p">(</span><span class="dl">'</span><span class="s1">preferences.theme</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// typed as 'dark' | 'light'</span> <span class="c1">// This is a compile error — 'superadmin' is not valid</span> <span class="k">await</span> <span class="nx">session</span><span class="p">.</span><span class="nf">setAsync</span><span class="p">({</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">superadmin</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// ❌ Type error</span> </code></pre> </div> <p>The deep path API uses TypeScript's template literal types to infer the exact return type at every dot-notation path. <code>getByPathAsync('preferences.theme')</code> returns <code>'dark' | 'light'</code> — not <code>any</code>.</p> <h2> Deep Path Operations </h2> <p>Working with nested objects doesn't require reading, cloning, and re-writing the entire cookie. The path API handles it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">AppState</span> <span class="p">{</span> <span class="nl">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">address</span><span class="p">:</span> <span class="p">{</span> <span class="na">city</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">country</span><span class="p">:</span> <span class="kr">string</span> <span class="p">};</span> <span class="nl">preferences</span><span class="p">:</span> <span class="p">{</span> <span class="na">theme</span><span class="p">:</span> <span class="dl">'</span><span class="s1">dark</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">light</span><span class="dl">'</span><span class="p">;</span> <span class="nl">notifications</span><span class="p">:</span> <span class="nx">boolean</span> <span class="p">};</span> <span class="p">};</span> <span class="nl">cart</span><span class="p">:</span> <span class="p">{</span> <span class="na">items</span><span class="p">:</span> <span class="kr">number</span><span class="p">[];</span> <span class="nl">total</span><span class="p">:</span> <span class="kr">number</span> <span class="p">};</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">store</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">JsCookieEncrypt</span><span class="o">&lt;</span><span class="nx">AppState</span><span class="o">&gt;</span><span class="p">({</span> <span class="na">storageKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">app</span><span class="dl">'</span><span class="p">,</span> <span class="na">cryptoConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">privateKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">secret</span><span class="dl">'</span><span class="p">,</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">aes-gcm</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Initialize</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">setAsync</span><span class="p">({</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Alice</span><span class="dl">'</span><span class="p">,</span> <span class="na">address</span><span class="p">:</span> <span class="p">{</span> <span class="na">city</span><span class="p">:</span> <span class="dl">'</span><span class="s1">London</span><span class="dl">'</span><span class="p">,</span> <span class="na">country</span><span class="p">:</span> <span class="dl">'</span><span class="s1">UK</span><span class="dl">'</span> <span class="p">},</span> <span class="na">preferences</span><span class="p">:</span> <span class="p">{</span> <span class="na">theme</span><span class="p">:</span> <span class="dl">'</span><span class="s1">dark</span><span class="dl">'</span><span class="p">,</span> <span class="na">notifications</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">},</span> <span class="na">cart</span><span class="p">:</span> <span class="p">{</span> <span class="na">items</span><span class="p">:</span> <span class="p">[],</span> <span class="na">total</span><span class="p">:</span> <span class="mi">0</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Get nested value — typed as string</span> <span class="kd">const</span> <span class="nx">city</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">getByPathAsync</span><span class="p">(</span><span class="dl">'</span><span class="s1">user.address.city</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// 'London'</span> <span class="c1">// Update one nested field without touching the rest</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">setByPathAsync</span><span class="p">(</span><span class="dl">'</span><span class="s1">user.address.city</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Paris</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Deep merge a nested object</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">updateByPathAsync</span><span class="p">(</span><span class="dl">'</span><span class="s1">user.preferences</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">theme</span><span class="p">:</span> <span class="dl">'</span><span class="s1">light</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// Delete a nested field</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">deleteByPathAsync</span><span class="p">(</span><span class="dl">'</span><span class="s1">user.address.country</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Check existence</span> <span class="kd">const</span> <span class="nx">hasCity</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">hasAsync</span><span class="p">(</span><span class="dl">'</span><span class="s1">user.address.city</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// true</span> </code></pre> </div> <p>All of these read → decrypt → mutate → encrypt → write under the hood. You work with clean data.</p> <h2> Real-Time Change Subscriptions </h2> <p>Subscribe to cookie changes across your application. Perfect for keeping UI state in sync without prop drilling or a global store.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">unsubscribe</span> <span class="o">=</span> <span class="nx">store</span><span class="p">.</span><span class="nf">subscribe</span><span class="p">((</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">switch </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="kd">type</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">set</span><span class="dl">'</span><span class="p">:</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Cookie created:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">event</span><span class="p">.</span><span class="nx">newValue</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">update</span><span class="dl">'</span><span class="p">:</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Changed:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">event</span><span class="p">.</span><span class="nx">oldValue</span><span class="p">,</span> <span class="dl">'</span><span class="s1">→</span><span class="dl">'</span><span class="p">,</span> <span class="nx">event</span><span class="p">.</span><span class="nx">newValue</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">delete</span><span class="dl">'</span><span class="p">:</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Fields deleted, cookie is now:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">event</span><span class="p">.</span><span class="nx">newValue</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">clear</span><span class="dl">'</span><span class="p">:</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Cookie cleared. Was:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">event</span><span class="p">.</span><span class="nx">oldValue</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Each method fires the correct event type</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">setAsync</span><span class="p">({</span> <span class="na">items</span><span class="p">:</span> <span class="p">[]</span> <span class="p">});</span> <span class="c1">// fires 'set'</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">updateAsync</span><span class="p">({</span> <span class="na">items</span><span class="p">:</span> <span class="p">[</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">]</span> <span class="p">});</span> <span class="c1">// fires 'update'</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">deleteFieldsAsync</span><span class="p">([</span><span class="dl">'</span><span class="s1">cart</span><span class="dl">'</span><span class="p">]);</span> <span class="c1">// fires 'delete'</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">clearAsync</span><span class="p">();</span> <span class="c1">// fires 'clear'</span> <span class="c1">// Clean up</span> <span class="nf">unsubscribe</span><span class="p">();</span> </code></pre> </div> <h2> Enterprise Key Rotation </h2> <p>Rotating encryption keys in production is painful when users have existing encrypted cookies — they break the moment you deploy a new key.</p> <p><code>js-cookie-encrypt</code> solves this with zero downtime key rotation. Pass an array of keys: the first is the active encryption key, the rest are fallbacks for decrypting old cookies.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">store</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JsCookieEncrypt</span><span class="p">({</span> <span class="na">storageKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">,</span> <span class="na">cryptoConfig</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// New key at index 0. Old keys at index 1, 2...</span> <span class="na">privateKey</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">new-key-2026</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">old-key-2025</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">older-key-2024</span><span class="dl">'</span><span class="p">],</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">aes-gcm</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Automatically:</span> <span class="c1">// 1. Tries to decrypt with 'new-key-2026'</span> <span class="c1">// 2. Falls back to 'old-key-2025' if that fails</span> <span class="c1">// 3. Falls back to 'older-key-2024' if that fails</span> <span class="c1">// 4. Re-encrypts with 'new-key-2026' and saves</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">getAsync</span><span class="p">();</span> </code></pre> </div> <p>Users who have cookies encrypted with old keys get transparently migrated on their next request. No session invalidation. No support tickets.</p> <h2> SSR-Safe (Next.js, Nuxt, Remix) </h2> <p>The most common Next.js cookie bug: calling <code>document.cookie</code> on the server crashes with <code>ReferenceError: document is not defined</code>.</p> <p><code>js-cookie-encrypt</code> detects when <code>document.cookie</code> is unavailable and silently falls back to an in-memory Map. Your code works identically on server and client.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/session.ts — safe to import anywhere in Next.js</span> <span class="k">import</span> <span class="nx">JsCookieEncrypt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">js-cookie-encrypt</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">Session</span> <span class="p">{</span> <span class="nl">userId</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">role</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">sessionStore</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">JsCookieEncrypt</span><span class="o">&lt;</span><span class="nx">Session</span><span class="o">&gt;</span><span class="p">({</span> <span class="na">storageKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">,</span> <span class="na">cryptoConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">privateKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_COOKIE_KEY</span><span class="o">!</span><span class="p">,</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">aes-gcm</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">defaultOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">lax</span><span class="dl">'</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/page.tsx — works in server components too</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sessionStore</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/session</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">Page</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sessionStore</span><span class="p">.</span><span class="nf">getAsync</span><span class="p">();</span> <span class="c1">// session is null server-side (no document.cookie)</span> <span class="c1">// session is populated client-side after hydration</span> <span class="p">}</span> </code></pre> </div> <h2> React Hook Example </h2> <p>Here's a production-ready React hook that keeps state in sync with the encrypted cookie:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">useEffect</span><span class="p">,</span> <span class="nx">useState</span><span class="p">,</span> <span class="nx">useCallback</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">JsCookieEncrypt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">js-cookie-encrypt</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">UserPrefs</span> <span class="p">{</span> <span class="nl">theme</span><span class="p">:</span> <span class="dl">'</span><span class="s1">dark</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">light</span><span class="dl">'</span><span class="p">;</span> <span class="nl">language</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">notifications</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">prefStore</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">JsCookieEncrypt</span><span class="o">&lt;</span><span class="nx">UserPrefs</span><span class="o">&gt;</span><span class="p">({</span> <span class="na">storageKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">prefs</span><span class="dl">'</span><span class="p">,</span> <span class="na">cryptoConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">privateKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">secret</span><span class="dl">'</span><span class="p">,</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">aes-gcm</span><span class="dl">'</span> <span class="p">},</span> <span class="na">defaultOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">lax</span><span class="dl">'</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">usePreferences</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">prefs</span><span class="p">,</span> <span class="nx">setPrefs</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="nx">UserPrefs</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">loading</span><span class="p">,</span> <span class="nx">setLoading</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">prefStore</span><span class="p">.</span><span class="nf">getAsync</span><span class="p">().</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setPrefs</span><span class="p">(</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">UserPrefs</span> <span class="o">|</span> <span class="kc">null</span><span class="p">);</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Stay in sync with external changes</span> <span class="kd">const</span> <span class="nx">unsubscribe</span> <span class="o">=</span> <span class="nx">prefStore</span><span class="p">.</span><span class="nf">subscribe</span><span class="p">(</span><span class="nx">event</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">set</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">event</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">update</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setPrefs</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">newValue</span> <span class="k">as</span> <span class="nx">UserPrefs</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">clear</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setPrefs</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">unsubscribe</span><span class="p">;</span> <span class="p">},</span> <span class="p">[]);</span> <span class="kd">const</span> <span class="nx">update</span> <span class="o">=</span> <span class="nf">useCallback</span><span class="p">(</span> <span class="p">(</span><span class="nx">updates</span><span class="p">:</span> <span class="nb">Partial</span><span class="o">&lt;</span><span class="nx">UserPrefs</span><span class="o">&gt;</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">prefStore</span><span class="p">.</span><span class="nf">updateAsync</span><span class="p">(</span><span class="nx">updates</span><span class="p">),</span> <span class="p">[]</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">clear</span> <span class="o">=</span> <span class="nf">useCallback</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">prefStore</span><span class="p">.</span><span class="nf">clearAsync</span><span class="p">(),</span> <span class="p">[]);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">prefs</span><span class="p">,</span> <span class="nx">loading</span><span class="p">,</span> <span class="nx">update</span><span class="p">,</span> <span class="nx">clear</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// In your component</span> <span class="kd">function</span> <span class="nf">SettingsPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">prefs</span><span class="p">,</span> <span class="nx">loading</span><span class="p">,</span> <span class="nx">update</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">usePreferences</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">loading</span><span class="p">)</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">Spinner</span> <span class="o">/&gt;</span><span class="p">;</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">button</span> <span class="nx">onClick</span><span class="o">=</span><span class="p">{()</span> <span class="o">=&gt;</span> <span class="nf">update</span><span class="p">({</span> <span class="na">theme</span><span class="p">:</span> <span class="nx">prefs</span><span class="p">?.</span><span class="nx">theme</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">dark</span><span class="dl">'</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">light</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">dark</span><span class="dl">'</span> <span class="p">})}</span><span class="o">&gt;</span> <span class="nx">Toggle</span> <span class="nc">Theme </span><span class="p">(</span><span class="nx">currently</span><span class="p">:</span> <span class="p">{</span><span class="nx">prefs</span><span class="p">?.</span><span class="nx">theme</span><span class="p">})</span> <span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> How the Encryption Actually Works </h2> <p>For the curious — here's what happens under the hood when you call <code>setAsync()</code>:</p> <p><strong>Encryption:</strong></p> <ol> <li>Your data object is serialized to JSON: <code>{"userId":42,"role":"admin"}</code> </li> <li>A random 12-byte IV (initialization vector) is generated using <code>crypto.getRandomValues()</code> </li> <li>Your private key is hashed with SHA-256 to produce a consistent 256-bit AES key</li> <li>The JSON string is encrypted using AES-GCM with the IV</li> <li>The IV (12 bytes) is prepended to the ciphertext</li> <li>The combined bytes are base64-encoded and prefixed with <code>gcm:</code> </li> <li>The result is written to <code>document.cookie</code> </li> </ol> <p><strong>Decryption:</strong></p> <ol> <li>The cookie is read and the <code>gcm:</code> prefix stripped</li> <li>The base64 string is decoded back to bytes</li> <li>The first 12 bytes are extracted as the IV</li> <li>The remaining bytes are decrypted using AES-GCM (this also verifies the authentication tag — if the data was tampered with, decryption fails)</li> <li>The decrypted bytes are decoded from UTF-8 to a string</li> <li>The JSON string is parsed and returned as your typed object</li> </ol> <p>AES-GCM is <strong>authenticated encryption</strong> — it doesn't just encrypt, it also produces an authentication tag that detects any tampering with the ciphertext. If someone modifies your encrypted cookie, decryption throws rather than returning corrupted data.</p> <h2> Comparison With Alternatives </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>js-cookie</th> <th>universal-cookie</th> <th>crypto-js</th> <th>js-cookie-encrypt</th> </tr> </thead> <tbody> <tr> <td>Browser cookies</td> <td>✅</td> <td>✅</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>AES-GCM 256-bit</td> <td>❌</td> <td>❌</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>Native Web Crypto</td> <td>❌</td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Zero dependencies</td> <td>✅</td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>TypeScript generics</td> <td>✅</td> <td>✅</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>Key rotation</td> <td>❌</td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Deep path API</td> <td>❌</td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Change events</td> <td>❌</td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>SSR / Next.js safe</td> <td>⚠️</td> <td>✅</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Actively maintained</td> <td>✅</td> <td>✅</td> <td>❌ abandoned</td> <td>✅</td> </tr> <tr> <td>Weekly downloads</td> <td>23M</td> <td>1.8M</td> <td>15M</td> <td>growing</td> </tr> </tbody> </table></div> <h2> Security Considerations (Be Honest With Your Users) </h2> <p>I want to be transparent about what this library does and doesn't protect against.</p> <p><strong>What it protects:</strong></p> <ul> <li>Casual reading of cookie values in DevTools</li> <li>Cookie values visible in log files, analytics tools, error trackers</li> <li>Network-level interception of cookie values (combined with <code>secure: true</code>)</li> <li>Shoulder surfing</li> <li>Automated scraping of cookie values</li> </ul> <p><strong>What it does NOT protect against:</strong></p> <ul> <li>An attacker with JavaScript execution on your page. The encryption key is accessible to JS — if your site has XSS vulnerabilities, those need to be fixed first.</li> <li>Browser extensions with full page access</li> <li>Physical access to the machine (cookies are stored on disk)</li> </ul> <p>This library is best described as <strong>defense in depth</strong> — it makes cookie values meaningless to anyone who isn't running your application code. For sessions that need true server-side security, use <code>HttpOnly</code> cookies set by your server (no JS library can do this — it's a server responsibility).</p> <h2> Production Configuration Checklist </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">store</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JsCookieEncrypt</span><span class="p">({</span> <span class="na">storageKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">,</span> <span class="na">cryptoConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">privateKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_COOKIE_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="c1">// ✅ env var, not hardcoded</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">aes-gcm</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ✅ strong cipher</span> <span class="p">},</span> <span class="na">defaultOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ✅ HTTPS only in prod</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">lax</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ✅ CSRF protection</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ✅ available site-wide</span> <span class="c1">// expires: 7 * 24 * 60 * 60 * 1000, // optional: 7 days in ms</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h2> Install and Try It Now </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>js-cookie-encrypt </code></pre> </div> <ul> <li><a href="https://github.com/abfahimb/js-cookie-encrypt" rel="noopener noreferrer">GitHub</a></li> <li><a href="https://www.npmjs.com/package/js-cookie-encrypt" rel="noopener noreferrer">npm</a></li> </ul> <p>If you find it useful, a ⭐ on GitHub goes a long way. Issues and PRs welcome.</p> <h2> Wrapping Up </h2> <p>The frontend ecosystem has had a gap for years: no maintained, client-side, encrypted cookie library. Every option was either plaintext, abandoned, server-only, or required a 300KB dependency.</p> <p><code>js-cookie-encrypt</code> fills that gap. It's:</p> <ul> <li>Built on native browser APIs (no dependency risk)</li> <li>AES-GCM 256-bit (authenticated encryption, not just obfuscation)</li> <li>TypeScript-first with full generic type inference</li> <li>Ready for production with key rotation and SSR support</li> </ul> <p>Your users' data deserves better than plaintext cookies. It takes five minutes to fix.</p> javascript security tutorial webdev