IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Guides
  3. JWT Security Best Practices

Testing how-tos

JWT Security Best Practices

JSON Web Tokens are convenient but easy to misuse. Most JWT vulnerabilities come from incorrect or incomplete validation. Follow these practices to keep tokens trustworthy.

Steps

  1. 1

    Pin the algorithm server-side

    Never let the token header choose the verification algorithm. Configure the expected algorithm explicitly and reject anything else, including 'none'.

  2. 2

    Verify signature and standard claims

    On every request, verify the signature and validate expiry (exp), not-before (nbf), audience (aud), and issuer (iss).

  3. 3

    Separate key usage

    Keep asymmetric public/private keys distinct from any symmetric secrets to prevent RS256/HS256 algorithm-confusion attacks.

  4. 4

    Use strong, rotated keys

    Use high-entropy signing keys and rotate them. Weak HMAC secrets can be brute-forced offline.

  5. 5

    Keep tokens short-lived

    Use short access-token lifetimes with refresh tokens, and support revocation for sensitive sessions.

  6. 6

    Use vetted libraries

    Rely on well-maintained JWT libraries with secure defaults rather than custom verification code.

Key takeaways

  • The algorithm must be fixed server-side, never taken from the token.
  • Always validate aud and iss, not just the signature and expiry.
  • Short lifetimes plus rotation limit the blast radius of any leak.

FAQ

Is storing a JWT in localStorage safe?

localStorage is readable by JavaScript, so an XSS flaw can steal the token. HttpOnly cookies with SameSite protection are generally safer for browser sessions; whichever you choose, fix XSS and CSRF at the source.

Related

JWT attacks explainedBroken Access ControlZero Trust

Impactr puts this into practice - autonomously testing your web apps and APIs the way an attacker would, and proving every finding with a reproducible exploit.

Join the waitlist
← All guides
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub