Prevention

  • Use up-to-date JWT-related libraries as they make it more difficult to inadvertently implement them insecurely.

  • Ensure robust signature verification on any receiving JWT.

  • Enforce a strict whitelist of permitted hosts for the jku header.

  • Make sure to test for path traversal and/or SQLi via the kid parameter.

Best practices

  • Always set an expiration date for any tokens that you issue.

  • Avoid sending tokens in URL parameters where possible.

  • Include the aud (audience) claim (or similar) to specify the intended recipient of the token. This prevents it from being used on different websites.

  • Enable the issuing server to revoke tokens (on logout, for example).

PreviousAlgorithm ConfusionNextOAuth

Last updated