Testing how-tos
JWT Security Best Practices
JSON Web Tokens are convenient but easy to misuse. Most JWT vulnerabilities come from incorrect or incomplete validation. Follow these practices to keep tokens trustworthy.
Steps
- 1
Pin the algorithm server-side
Never let the token header choose the verification algorithm. Configure the expected algorithm explicitly and reject anything else, including 'none'.
- 2
Verify signature and standard claims
On every request, verify the signature and validate expiry (exp), not-before (nbf), audience (aud), and issuer (iss).
- 3
Separate key usage
Keep asymmetric public/private keys distinct from any symmetric secrets to prevent RS256/HS256 algorithm-confusion attacks.
- 4
Use strong, rotated keys
Use high-entropy signing keys and rotate them. Weak HMAC secrets can be brute-forced offline.
- 5
Keep tokens short-lived
Use short access-token lifetimes with refresh tokens, and support revocation for sensitive sessions.
- 6
Use vetted libraries
Rely on well-maintained JWT libraries with secure defaults rather than custom verification code.
Key takeaways
- The algorithm must be fixed server-side, never taken from the token.
- Always validate aud and iss, not just the signature and expiry.
- Short lifetimes plus rotation limit the blast radius of any leak.
FAQ
Is storing a JWT in localStorage safe?
localStorage is readable by JavaScript, so an XSS flaw can steal the token. HttpOnly cookies with SameSite protection are generally safer for browser sessions; whichever you choose, fix XSS and CSRF at the source.
Related
Impactr puts this into practice - autonomously testing your web apps and APIs the way an attacker would, and proving every finding with a reproducible exploit.
Join the waitlist