tl;dr: Jwt Best Practise

Posted on Jul 28, 2022

Some notes on best practise when using JSON Web Tokens (as defined in RFC 7519)

Best Practise

  • Allowlist algorithms - a blocklist can be bypassed by malforming unwanted algorithms (eg. ‘NoNe’)
  • Signature. Use asymmetric:
    • ES256 (faster) or
    • RS256 (more widely supported)
  • Why use asymmetric signing?
    • easier to keep the secret secret
    • proves it was signed by the real signer
  • If you really have to use symmetric, use ephemeral secrets
  • Always validate the token
  • JWT can be used for access or ID - check the expected usage
  • Of course, never include confidential information in the JWT itself

Common Exploits

Sources & More Info