Last Update: 17.04.2020. By Jens in Newsletter
JWTs are great if you use some precautions. Like, don’t put sensitive stuff in it. But it surprisingly happens often. It is a recurring theme in my consultations that devs forget that signed and encoded does not mean encrypted. And so user details end up in the token that should not be there like personal data, billing URLs and hosts.
JSON Web Tokens are only signed and encoded. That means anyone obtaining the token can decode it with easy and see what you stored in it. The only secure thing is that they can not tamper with it as the token is signed.
Never forget that and be spares with the stuff you put in a token.
That is convenient as you have everything in the token that your backend might need. No extra request for retrieving user details. It’s tempting to put more in there. But it can also create holes when you are not aware of that.
I wasn’t until some time later it strikes me that I should check what they actually put into that token. And voila, everything was there. Doh!
So, be careful and double-check what you put into tokens and what your auth service actually does :-).
Want content like this in your inbox
each workday irregularly? No BS, spam or tricks... just useful content: