6

I've been working with JSON Web Tokens and reading up on how to make an app more secure. When a user is a authorized, the token is signed, and a token will be placed in the Authorization Header. This token can then be placed in localStorage, sessionStorage, or cookieStorage. The last option came out top to be the most secure option, but I was wondering if any features of a JSON web token, or any middleware, or perhaps JSON Web Encryption (not really sure how this works) that would prevent a malicious attacker from intercepting/grabbing that token, and using it for future requests to the app's APIs, since all that's needed is a request with that token for a dumb server to respond for the information requested.

My Name
  • 61
  • 1

2 Answers2

2
  1. Send the token over TLS.
  2. Sign the token with a couple of private/public keys (i.e. RSA, ECDSA) to prevent tampering (You don't use a secret shared!).
  3. If your token gets stolen, the attacker can only use it for a short period of time. You can set the expiration time to 15min.
  4. JSON Web Encryption (JWE) provides confidentiality of content. You can use asymmetric cryptography to send confidential content. See this example.
CipherX
  • 190
  • 1
  • 8
2

Securing User Credentials – Session Cookies Vs. JWTs: - Implement HTTPS on your server, and the login form is posted over this secure channel - Store the session ID in a secure, HTTPS-only cookie that can only be sent to your server over secure channels - Preventing Malicious Code (XSS):Don’t use Local Storage - Using JSON Web Tokens to Secure Your Web App UI: 3 parts:

Header:
{
"typ":"JWT",
"alg":"HS256"//ALGORITHM HS256 are specifically designed to PREVENT alteration of the payload
}

JWT: should be signed with a private signing key
Body:
{
"iss":"your site"//Who issued this token,
"exp": //timestamp,//set the good expiration time
"sub": "users/105898"//user ID,
"scope": "self api/comment"//What this user can do
}

Notes:

  • When validating an incoming JWT, be careful what you consider valid
  • If JWT library changes enough, the library you're using might have to change in ways that break compatibility with your code. Follow link
Rei
  • 34
  • 10