JWT tokens have recently become a very popular authentication method in web applications. While this is one of the safest ways to protect resources, and there are no alternatives on the market – keep in mind that every rose has spikes and there are many potential risks lurking here too. They are mainly due to implementation errors. To guard against them, it is worth sticking to the following rules:
- Make sure that you are using sufficiently complex encryption keys of at least 2048 bits.
- Create a procedure in case of leakage of the encryption key.
- Keys should be stored in a secure manner (e.g. they should not be in source code).
- A specific signature method should be required by the server so that it cannot be changed on the client side.
- Verify that your implementation does not allow the signature algorithm "none".
- Verify that your implementation is sure to check the signature (it does not accept a blank signature and distinguish between the functions "verify()" and "decode()" ).
- Verify that the debug mode is disabled and cannot be enforced on the client side.
- Do not submit JWT tokens in the URL.
- Verify that you do not disclose sensitive information in the JWT token.
- Make sure you're protecting yourself from a replay attack.
- Verify that the lifetime of the token is sufficiently short and that it is actually checked correctly.
- Consider whether or not you need the function of invalidating individual tokens.
