You can address this by implementing the concept of Zero Trust to verify the client's endpoint. You can't fully prevent JWT hijacking but you can make the JWT hijacking harder or not sufficient to break the solution.įor example, if you want to do so for mobile App API you should go one level further beyond the OpenID concept and verify that the client App that is providing the JWT for Authentication is a genuine legit App, but not a script or postman. you still need to rely on third parties to get the right public keys for token validation. JWTs have had their share of security issues in the past. JWT are also HTTP friendly as they are just BASE-64 strings. This simplifies the process of on-boarding in a single sign-on system as there is minimal integration required. They solve the problem of relying on third parties for validating an authentication token as all the information required to validate the JWT is contained within the token itself. JWT are self sufficient tokens which are used to share authentication information between different systems. If you are using JWTs over an HTTP connection, there is not much you can do to prevent the attacker from sniffing your traffic and misusing the token. An SSL connection between your browser and web server provides confidentiality and data security in transit. You have SSL/HTTPS to take care of that problem. However JWTs were not designed to address this risk.
There is a considerable risk posed by an attacker sniffing network traffic and stealing session cookies to impersonate other users.
0 kommentar(er)
