Explore essential concepts in token-based authentication, focusing on common vulnerabilities such as JWT security, safe token storage, and protection against token theft. Enhance your understanding of how to implement robust security practices and minimize risks in authentication systems.
Why is it critical to always transmit JSON Web Tokens (JWTs) over HTTPS rather than HTTP?
Explanation: Transmitting JWTs over HTTPS ensures that tokens are encrypted during transit, preventing attackers from capturing them via network sniffing. Using HTTP can expose sensitive tokens to interception. Payload size is not dependent on the protocol used. While using HTTPS is best practice, JWTs themselves are protocol-agnostic and not limited only to HTTPS.
What is the safest way to store tokens on a client-side web application to prevent cross-site scripting (XSS) attacks?
Explanation: Storing tokens in HTTP-only cookies prevents JavaScript access, which helps protect against XSS attacks. LocalStorage and sessionStorage are both accessible to JavaScript, making them less secure against XSS. Keeping tokens in global variables is also insecure because it exposes them to XSS vulnerabilities.
When a server receives a JWT, what should it do first to confirm the token has not been tampered with?
Explanation: Verifying the JWT's signature ensures the token's integrity and confirms it has not been altered. Checking the expiration is necessary, but only after confirming authenticity. Trusting the payload without verification is unsafe. JWTs may not always be stored in a database, so a lookup isn't always feasible or effective first.
How does setting short expiration times for tokens help reduce security risks?
Explanation: Short token lifetimes minimize the opportunity for a stolen or compromised token to be misused. Short expiration does not necessarily speed up authentication or impact token size. While it reduces the impact of brute-force, its main benefit is limiting how long a stolen token is valid.
Which mechanism can be used to protect against replay attacks with tokens?
Explanation: Unique nonces ensure that each authentication request is distinct, making replay attacks much harder. Validating only during business hours does not address the core vulnerability. Unlimited token reuse and simply lengthening tokens do not provide meaningful protection against replay attacks.
Why should refresh tokens be given extra protection compared to access tokens?
Explanation: Because refresh tokens are long-lived and can be exchanged for new access tokens, their compromise poses a significant threat. Signature validation applies to tokens but is not unique to refresh tokens. Refresh tokens are not shorter or easier to guess by nature. Clients often do store refresh tokens securely.
What is the main purpose of the 'aud' (audience) claim in a JWT?
Explanation: 'aud' defines the intended recipient or service for the token, helping ensure that the token is only accepted by the correct party. The token's issuer is recorded separately, often in the 'iss' claim. Counting uses or storing passwords is not a function of the 'aud' claim.
Which token storage strategy helps reduce the risk of CSRF in browser-based applications?
Explanation: Cookies with 'SameSite=Strict' attributes are not sent to other sites, helping protect against CSRF. LocalStorage does not prevent CSRF as it is not tied to request submission. Regular cookies without SameSite are vulnerable to CSRF. Hidden form fields are not a reliable or secure strategy for tokens.
What is a common method for servers to handle JWT revocation before the token’s expiration?
Explanation: A denylist allows the server to maintain a list of tokens that should no longer be accepted even if not expired. Extending expiration doesn't revoke tokens. Changing the payload post-issuance does not affect already issued tokens. Omitting expiration increases risk and does not address revocation.
Why is it a security risk to store sensitive information, like passwords or full credit card numbers, inside a token's payload?
Explanation: Token payloads can be easily decoded and may be exposed via browser storage or interceptable transmission, risking leaks of sensitive information. JWTs are usually only encoded, not encrypted by default. Token size is not a major concern for this kind of data risk. While storing sensitive data in browsers is discouraged, the main issue is exposure, not browser prohibition.