Prevent JWT attacks
You can protect your own websites against many of the attacks we've covered by taking the following high-level measures:
Use an up-to-date library for handling JWTs and make sure your developers fully understand how it works, along with any security implications. Modern libraries make it more difficult for you to inadvertently implement them insecurely, but this isn't foolproof due to the inherent flexibility of the related specifications.
Make sure that you perform robust signature verification on any JWTs that you receive, and account for edge-cases such as JWTs signed using unexpected algorithms.
Enforce a strict whitelist of permitted hosts for the
jku
header.Make sure that you're not vulnerable to path traversal or SQL injection via the
kid
header parameter.
Additional best practice for JWT handling
Although not strictly necessary to avoid introducing vulnerabilities, we recommend adhering to the following best practice when using JWTs in your applications:
Always set an expiration date for any tokens that you issue.
Avoid sending tokens in URL parameters where possible.
Include the
aud
(audience) claim (or similar) to specify the intended recipient of the token. This prevents it from being used on different websites.Enable the issuing server to revoke tokens (on logout, for example).
Last updated