Open in app

Sign in

Write

Sign in

7 Best Practices for JSON Web Tokens

Deeksha Agarwal
7 min readJul 3, 2020

Introduction

JSON Web Tokens or JWTs commonly pronounced as “jots” have become very popular in the past few years among developers and most likely you must have heard about them as well. With the increased popularity there is always an increase in adoption and risk.

Many people start adopting the technology and there are always some people who try to find some loopholes and give their best to exploit it. Hence we as developers, have to take care of a few things to make sure we don’t regret this later. In this article, we’ll discuss the best practices for using JSON Web Tokens. But before we start with the best practices, let’s have a quick look at what a JWT is.

What is a JSON Web Token or JWT?

A JSON Web Token or JWT is a URL-safe JSON-based security token which contains a set of information and is used to transmit packets of information for various purposes.

A JSON Web Token can be used for transmitting various information and one of the major uses of JWTs is to transmit authorization or authentication details between different parties.

JWTs are currently being used as a security token format in various protocols and applications and due to the widespread use of JWTs, there are many libraries available which makes construction of JWTs simpler and hence more susceptible to various attacks.

A JWT contains various information including some sensitive ones which when used illegally can cause a lot of havoc, hence it becomes necessary to make sure that the JWTs which we are using are secured and by all means safe to be transmitted.

To understand this better, let’s have a look at the structure of a JWT.

Structure of a JWT

A JSON Web Token or a JWT consists of three main parts: a header, payload, and a signature.

A JWT is then generated by encoding all these three parts using Base64URLEncoding and then concatenating them together using a period separator.

Const token= Base64URLEncoded Header. Base64URLEncoded Payload. Base64URLEncoded Signature

And this token is then used with the secret of the secret key to create the token.

Since, now we know the basic structure of how a JWT is created and what kind of information it contains, it’s time we get started with the best practices for JSON Web Tokens.

Best Practices for JSON Web Tokens

1. Perform Algorithm Verification

As we have seen above, a signed JWT contains the indication of the signing algorithm in the header to facilitate the cryptographic agility. Hence, someone can easily figure out the same from the “alg” parameter in the header. There are tools and libraries which can help to decode this token. For example, you can use jwt.io to decode the JWT token. So, when there are some design flaws in any library then it becomes easy to attack.

So, the libraries should make sure by verifying that the algorithm which is used for cryptographic operation should only be the one which is being used against the specific operation. The libraries should restrict the usage of any other algorithm except the one specified for that particular token. Also, one key should only be used with just one algorithm.

2. Multiple security encryption, a good choice?

When there are an ample of modes and methods available to maintain security, it often becomes tempting to use a bit of everything. Well, this is not always a good practice. Usage of one mode of security encryption modes is enough to secure confidentiality of a JWT.

You can encrypt a JWT by either directly encrypting it with a shared key or by using a key-wrapping method. Once you use any of the following methods then there is no need to use any additional layer of security. But even if you are overly concerned about security, then the preferable way is to rotate the security keys frequently. Using more options is not a way here, rather it complicates the things and it becomes more complex to handle this.

3. Follow Proper Key Management

A strong key management is the key to a key to any organizations’ system’s security. If the key management itself is weak, then the other security properties of that system are no longer guaranteed. If key management is compromised, then it becomes easier to decrypt messages, forge security tokens, and breach other parts of the system. Hence, various practices should be followed to make sure that the keys are not easily exposed to the system:

  • You need to make sure that the key storage is not easily accessible in case of any security breach. You can choose a HSM(Hardware Security Module) or any dedicated service for key management like Vault which runs on a separate host, thus making it difficult to attack.
  • Depending upon the usage volume, you can rotate your keys frequently(daily, weekly, or monthly) making it less vulnerable to attacks as this will cause frequent logouts. You can also use a customizable library which can be integrated with your system.
  • Using a high quality source key generator is also a way to make your keys less susceptible to attacks.
  • Keys should be immediately rotated in case of any suspect of compromise.

4. Remove the Header itself from the JWT and make it “Headless”?

Since we have already seen that a JWT contains a payload along with a “header”and the weakest point of vulnerability comes from the header which exposes the encryption algorithm for signature. So, eliminating this weakest link by removing the header and making the JWT headless can minimize the chances of vulnerability. To do so, you can simply eliminate the header from JWT and then recreate the data before parsing.

In order to strip the header: just remove the first encoded header parameters from the JWT. To reconstruct the JWT, just base64url-encode a fixed header identifying the known algorithm and parameters and append it to the headless JWT.

5. Understand all the Security Properties Properly

Most of the time, people aren’t able to put more efforts in encryption or digital signature as most of the time is lost between deciding a library, and reading the docs. As soon as the time comes for encryption, people move to other tasks as security methods and properties become too tiring to read and understand. But this is the worst mistake in this area as it can lead to vulnerabilities when used inappropriately.

There are various options that JWTs libraries provide that can be confusing:

  • Symmetric Message Authentication Codes (MACs) — MACs are used to confirm that the message came from the stated senderand has not been changed during the transmission. There are various standards for MACs like FIPS PUB 198–1, ISO/IEC 9797–1, SO/IEC 9797–2, HMACs.
  • Digital signatures- A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. There are various algorithms which help to encrypt the digital signatures like RSA, DSA, Rabin signature algorithm, etc.
  • Symmetric authenticated encryption- It is a symmetric encryption scheme in which encryption and decryption algorithms provide both confidentiality and authenticity assurances on the data based on AES in CBC mode or AES in GCM mode.
  • Public key encryption using RSA in which a message encrypted using a key can only be decrypted using another key which is known as “Private Key”.
  • Key agreement protocols which include protocols like ECDH or password-based, and various key-wrapping modes. A key-agreement protocol is a protocol whereby two or more parties can agree on a key in such a way that both influence the outcome
  • Payload compression.

You need to go into details of all these and decide which one suits your needs. This might be very confusing at first, but over the time you’ll get used to it and it will be beneficial in the long run.

6. Revoke JWTs or Limit the lifetime of the token

Since JWTs are used for providing authority, so once the task is achieved i.e the token has authorized the client it is a better practice to revoke the token. In case, the token is long lived, different measures should be taken to revoke it. However, short lived JWTs should be generated for better security and re-issued regularly. As this is a safe practice and it allows the token to refresh periodically and limits the case for vulnerability.

7. Understand all Security considerations

Before going for a JWT Based solution, make sure you read and understand all the security considerations. There are security considerations which advice on common security threats and the practices on how to avoid them.

Conclusion

Security of a system is one of the major things which no one can afford to compromise. So, with these best practices in place, you can make sure that your JWTs are secure. Hope these help you! If you have any more best practices to share with us, don’t hesitate to let me know in the comments!

Connect with me on Facebook, Twitter, LinkedIn, and Instagram.

If you like the post, just hit clap 👏 and help it find the wider audience.

Jwt
Jwt Token
Security
Security Token
Best Practices

--

--

Deeksha Agarwal

Written by Deeksha Agarwal

72 Followers

Sr. Product Manager @The Economic Times| Ex- LambdaTest

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams