There is too much customer data being stored in the browser’s session storage, some of which is sensitive (password, and addresses). We only really need the customer's username and first name on the client side.

The session storage data expires when the user signs out, or the last browser tab for our application is closed, but if the user forgets to sign out or close their tabs, or someone sneaks a peak while they are away from their computer then it is all there to see.

It can also be stolen via XSS attacks.

It is easy for us to prevent these details from being sent to the client. In the GET /api/customer/{username} operation in CustomerModule, just set any sensitive fields to null before sending the customer to the client.