top | item 36904478

(no title)

I am making a social app and JWT has some security concerns quote from https://www.akamai.com/blog/security-research/owasp-authenti...: Six threats to JWTs

    1)Allowing the server to use a token without validation.
    2)Using the same private key for different applications.
    3)Using a weak signing algorithm.
    4)Choosing a short and/or low-entropy private key.
    5)Keeping sensitive data in a JWT's payload.
    6)Confusing the keys.

I encourage the storing of the token so you can cross check the information with a "local authentic copy". That way issues 1 and 6 of JWT are fixed and issue 5 since you dont actually store "information" in the key EVEN if someone steals your key he can not steal sensitive data from it. Now i put information in quotes because you do put something, ike the username to make the key unique to to user, but username was already "public information" so no "user personal data" leakage in case of a disaster.

Thanks for your feedback : )

To address issues 2,3 and 4 2) You may use the "same key" but you have the option to change it whenever you want 3/4) Fernet is a VERY strong encryption algorythm

discuss

No comments yet.