Neil Madden has written about best practices for JSON Web Tokens (JWTs, pronounced “jots”). JWTs are popular as a way to securely transmit small packets of information, such as session tokens, proof of identity, and network protocol messages.
You will find best practices to ensure that your information stays secure. Taking some time to learn about the security properties and how the underlying cryptographic primitives provide them will pay dividends in the long run.
Authors considers also the fact that JWT libraries provide a lot of confusing options. These options can be bewildering at first, and you need to pick carefully to get the security properties you desire. The weakest part of any system’s security is often the key management - Neil will point you in right direction how to manage them properly.
The JWT specs contain Security Considerations sections that detail common threats and advice on how to avoid them; you will find links to them in article and you should read all of these and make sure you understand them before deploying a JWT-based solution. Links to common criticisms of JWT-based solutions are also included.
Recommended reading!
[Read More]