Finding the dcc.Store Data as an end-user (web browser DOM inspection)

Continuing the discussion from Difference in sharing data between callbacks with hidden divs and dcc.Store?:

If it’s not in the DOM, can an end-user see and/or manipulate dcc.Store data?

PS: I am not storing sensitive information in the Store

Good question! The data is stored in memory in the browser. It’s not easily findable, but accessible by running store.getState() in the Javascript console. The data is also accessible if the user opens the browser’s devtools and inspects the network console - that’s where you can inspect the data transfer between the server and the browser including all of the inputs, outputs, and state of callbacks.

2 Likes

Why do you ask? :slightly_smiling_face:

I was messing around with a dbc Text area component set to read only.

Had its value as a State in a callback

State('Component-name', 'value')

Let’s say I can press a button and generate a random math equation of a certain difficulty to solve. And that value displays the equation.
Maybe it’s a quadratic equation

In the DOM, I removed the readonly property, then edited the value on the web-browser.
On the server side, the callback recognized this change (say, changing it to 2+2).

So to my understanding, using that component and keyword arg is not the best way of going about it. Storing that generated equation in a store and using

State('Component-name', 'data')

would hopefully prevent anyone from changing that equation

I guess I could also monitor the keyword arg “readonly” of the text area component within the callback, and automatically generate a new equation if readonly was set to FALSE…

Hope that makes sense