Inside Your Browser's Secret Storage Rooms
Published: 11/17/2025
Most people think browsers just store cookies and maybe a bit of cache. But here's the thing: your browser is actually a small computer with drawers, cupboards, lockers, and even giant warehouses quietly holding your data every day.
Let me take you on a tour of this house. We'll look at how much each storage type can hold, what it's best for, and what you should absolutely avoid putting in there.
Cookies: The Tiny Sticky Notes
Cookies are the smallest storage option your browser has.
Storage capacity: Around 4 KB per cookie. That's basically a small slip of paper with a few sentences on it.
Best for: Login tokens, session tracking, and small identification keys. These are the little pieces of information that help websites remember who you are between page loads.
Never use for: Passwords (seriously, never), large chunks of data, or sensitive information that you wouldn't want exposed.
Why the limits? Cookies get sent to the server with every single request you make. If you stuff too much in there, you're just slowing down your website and potentially exposing data. Imagine sending a full backpack to your friend every time you text them. That's what overstuffed cookies do to your website.
Local Storage: Your Personal Drawer
Local Storage is like a small drawer in your desk. It keeps stuff even after you close the browser.
Storage capacity: About 5 MB in most browsers. That sounds small, but it's 1,000 times bigger than a single cookie.
Best for: Theme preferences (dark mode, light mode), shopping cart items, user settings, and small app state. Anything you want to remember for next time but isn't particularly sensitive.
Avoid storing: Passwords or tokens, anything over a few MB, or super sensitive data. Local Storage isn't encrypted, so anyone who gets access to your browser can read it. It's convenient but not secure.
Real world example: When you pick a dark theme on a website and it remembers your choice next time, that's probably Local Storage at work.
Session Storage: The Temporary Locker
Session Storage is exactly like those lockers you rent at a mall. You use it while you're there, but once you leave, it's gone.
Storage capacity: Similar to Local Storage, around 5 MB. But here's the catch: everything disappears when you close the tab.
Best for: Temporary form data, multi-step processes, or data that only matters for one tab. Think of it as scratch paper that gets thrown away when you're done.
Avoid storing: Anything you need after closing the tab or data you want to share across tabs. Session Storage is isolated to each tab, so if you open the same website in two tabs, they won't share Session Storage data.
Why the weird limitation? It's by design. Session Storage gives each tab its own private space, which is useful for things like multi-step forms where you don't want tabs interfering with each other.
IndexedDB: The Giant Warehouse
This is where things get interesting. IndexedDB is the browser's biggest storage space, and most people don't even know it exists.
Storage capacity: Hundreds of MB, sometimes several GB depending on your device. Browsers typically allow IndexedDB to use a percentage of your available disk space. This is massive compared to everything else we've talked about.
Best for: Offline apps, images and videos, large structured data, document editors, chat message history, and game save files. Basically, anything that needs serious storage space.
Real examples you use every day: Google Docs saving your work offline so you don't lose anything when your internet drops. WhatsApp Web storing chat messages so they load instantly. Notion keeping your notes available without internet. Instagram loading old posts from storage instead of fetching them again.
Avoid storing: Honestly? Nothing specific. This is designed for heavy lifting. If you need to store a lot of data in the browser, this is your answer. Just remember it's still not encrypted by default, so treat sensitive data carefully.
Cache Storage: The Speed Pantry
Cache Storage holds your website files so apps can load instantly, even on slow connections.
Storage capacity: Can hold hundreds of MB, sometimes as much as IndexedDB. The exact limit varies by browser and available disk space.
Best for: HTML, CSS, and JavaScript files, fonts and images, API responses for offline mode, and Progressive Web App (PWA) assets. This is all the stuff that makes websites load fast.
Why it matters: This is how apps keep working when your internet cuts out. Ever noticed how some apps show you old data when you're offline? That's Cache Storage doing its job. Without it, every website visit would require downloading everything from scratch.
Developer note: This works hand-in-hand with Service Workers to create truly offline-capable web apps. Together, they're what makes PWAs feel like native apps.
Memory Storage: The Whiteboard
This isn't an official API, but it's worth mentioning. When you store data in JavaScript variables, it lives in memory.
Storage capacity: Depends entirely on available RAM. Could be a few MB, could be hundreds. Modern browsers are pretty generous with memory for active tabs.
Best for: Fast temporary calculations and data processing while the page is open. Anything that needs to be super fast and doesn't need to persist.
Avoid storing: Anything you care about keeping. Refresh the page and it's all gone. Think of this like writing on a whiteboard. Great while you're using it, but someone will wipe it clean eventually.
File System Access API: The Surprising Guest
Some modern browsers let websites read and write actual files on your computer, but only if you explicitly give permission.
Storage capacity: As big as your hard drive. If you allow it, a website could theoretically store gigabytes. But don't worry, you're in complete control.
Best for: Photo editors, design tools, video editors, and code editors. Anything that needs to work with real files on your computer.
Examples you might know: Figma (design tool), Photopea (Photoshop alternative in browser), and VS Code for the Web. These apps can open and save files directly to your computer, making them feel like native applications.
Important: The website can't just access your files. You have to grant permission through a file picker dialog, just like when you upload a file. It's actually pretty secure because you're always in control of what the website can access.
Web SQL: The Old Guest Room
This one's officially deprecated, but you'll still see it in older browsers.
Storage capacity: Similar to IndexedDB, often tens of MB. But it doesn't matter much anymore.
Best for: Nothing anymore. Don't use this in new projects. It's been abandoned by browser vendors.
Why mention it? You might encounter it in legacy code or old tutorials. Just know it exists and that it's on its way out. If you see it, consider it a sign that the codebase needs updating.
Security: The Stuff Nobody Talks About
Here's the uncomfortable truth: most browser storage isn't encrypted or secure.
Local Storage and Session Storage can be accessed by any JavaScript on your page. If someone manages to inject malicious code (XSS attack), they can read everything. This is a bigger deal than most developers realize. That innocent-looking Local Storage key with your API token? An attacker can grab it in milliseconds.
What should you do? Never store passwords or API keys in Local Storage. Use httpOnly cookies for sensitive tokens because these can't be accessed by JavaScript at all. If you must store sensitive data in IndexedDB, encrypt it first using a proper encryption library. Always sanitize user input to prevent XSS attacks in the first place.
Good rule of thumb: If you wouldn't write it on a sticky note and leave it on your desk at a coffee shop, don't put it in browser storage without encryption.
Cookies have their own security concerns. Without the Secure and HttpOnly flags, they're vulnerable to interception and theft. Always set these flags for sensitive cookies. The Secure flag ensures cookies only travel over HTTPS, and HttpOnly prevents JavaScript from accessing them.
When Should You Use What?
Still confused about which storage to use? Here's a simple decision tree.
Need to store less than 4 KB and send it to the server? Use Cookies. They're designed for exactly this purpose and get automatically included in requests.
Need to remember user preferences across sessions? Use Local Storage. It's perfect for things like theme choices, language preferences, or UI settings that should persist.
Only need data for the current tab session? Use Session Storage. Great for wizard forms, temporary state, or data that should be isolated per tab.
Building an offline-capable app or storing large data? Use IndexedDB. It's the powerhouse of browser storage and can handle serious amounts of structured data.
Caching website assets for faster loads? Use Cache Storage with Service Workers. This is how you make websites work offline and load instantly.
Need to read/write actual files? Use File System Access API. It's the only way to interact with real files on the user's computer.
Just doing calculations while the page is open? Use regular JavaScript variables (memory). No need to complicate things if data doesn't need to persist.
Common Mistakes Developers Make
Storing too much in cookies: Remember, they're sent with every request. Keep them tiny. I've seen developers store entire JSON objects in cookies, and then wonder why their website is slow. Every request carries that extra baggage.
Treating Local Storage like a database: It's synchronous and blocks the main thread. For large operations, use IndexedDB instead. Reading 50 items from Local Storage in a loop will freeze your UI. Nobody wants that.
Not handling storage limits: Browsers can deny storage requests if you're out of space. Always wrap storage calls in try-catch blocks. Your app should handle storage failures gracefully, not just crash.
Forgetting about incognito mode: Some storage APIs behave differently or are more limited in private browsing. Session Storage works fine, but Local Storage and IndexedDB might get wiped immediately when the session ends.
Storing sensitive data unencrypted: Just because you can doesn't mean you should. Treat browser storage like a public bulletin board. Anyone with access to the browser can read it.
Not testing quota limits: Different browsers have different limits. Safari is particularly strict. Test your app's behavior when storage is full or denied.
Browser Compatibility Notes
Not all browsers treat storage the same way, and this can bite you if you're not careful.
Safari is more restrictive with storage quotas than Chrome or Firefox. It also has some quirks with IndexedDB in older iOS versions. If you're building something storage-heavy, test on Safari early.
Private or Incognito mode often gives you less storage or clears it immediately when you close the window. This is by design for privacy, but it means your offline features might not work as expected.
File System Access API doesn't work in Firefox yet. It's a Chromium-only feature for now. Always have a fallback if you're using this API.
iOS Safari has historically had some strange behaviors with storage, especially around when it decides to clear data. Things have improved, but it's still worth testing thoroughly on actual iOS devices, not just the simulator.
Where You See This Every Day
Now that you know how browser storage works, you'll start noticing it everywhere.
YouTube remembering where you paused a video, even if you close the tab and come back hours later. That's probably IndexedDB keeping track of your watch history and position.
Instagram loading older posts without fetching from the server. They cache images and post data locally, making scrolling feel instant even on slow connections.
Your bank's website keeping you logged in across sessions. That's cookies with your session token, carefully secured with HttpOnly and Secure flags.
Shopping carts surviving page refreshes. Local Storage holds your cart items so you don't lose them if you accidentally close the tab.
Google Maps working partially offline. Cache Storage and IndexedDB team up to store map tiles and location data so you can still navigate without internet.
Chat apps loading old messages instantly. WhatsApp Web, Telegram, Discord, they all use IndexedDB to store message history locally.
Games saving your progress locally. No need to hit a server every time you complete a level. IndexedDB stores your save file right in your browser.
All of this is powered by the storage systems hidden inside your browser. They're working silently in the background, making your web experience faster and more reliable.
Final Thoughts
Your browser isn't just a window to the internet. It's a capable little operating system with powerful storage tools built right in.
Once you understand how much each storage type can hold and what it's designed for, you can build apps that feel fast, smooth, and reliable. You can make things work offline. You can save users' data locally. You can create experiences that feel native, even though they're running in a web browser.
The web platform is surprisingly powerful. These storage APIs are proof of that. We've come a long way from the days when cookies were the only option and every interaction required a server round-trip.
So next time you're building something, think about which storage drawer, locker, or warehouse makes the most sense for your data. Think about what needs to persist, what needs to be secure, and what needs to be fast. Your users (and their experience) will thank you for it.
The best apps are the ones that feel instant, work offline, and never lose your data. Now you know how to build them.