jwt.io<\/a><\/p>\n\n\n\nHeader contains the type of token and algorithm used for signing and encoding. Algorithms can be HMAC, SHA256, RSA, HS256 or RS256.<\/p>\n\n\n\n
{ \n \"typ\": \"JWT\", \n \"alg\": \"HS256\"\n}<\/code><\/pre>\n\n\n\nPayload<\/h3>\n\n\n\n
Payload contains the data we are exchange through client and server. Here is the sample payload.<\/p>\n\n\n\n
{\n \"uid\": \"1234567890\",\n \"name\": \"yuuma\",\n \"iat\": 1231313123\n}<\/code><\/pre>\n\n\n\nWe can also add expiration payload to add expiration date of that token. We have to be careful about sensitive informations since, JWT can be decoded easily.<\/p>\n\n\n\n
Signature<\/h3>\n\n\n\n
Signatures are the most important part of JWT. It is calculated by encoding the header and payload using the Base64url encoding and concatenating them with a dot sign. This is then passed to the encryption algorithm. If he header or payload changes, signature has to calculated again.<\/p>\n\n\n\n
\/\/sample from jwt.io\nHMACSHA256(\n base64UrlEncode(header) + \".\" +\n base64UrlEncode(payload),\n your-256-bit-secret\n) secret base64 encoded<\/code><\/pre>\n\n\n\nTips<\/h3>\n\n\n\n
We have to be careful about these facts if we are using JWT token in your authorization mechanism <\/p>\n\n\n\n
- Use HTTPS to protect the Authorization header.<\/li>
- Better to prepare with blocklist tokens as the attacker might get JWT token before it’s expiration date.<\/li>
- If the JWT is cookie-persistent, you need to create an HttpOnlyCookie. This restricts third-party JavaScript from reading the JWT token from the cookie.<\/li>
- For XSS, the server side should always sanitize user-generated data.<\/li>
- For CSRF, have to mitigate CSRF by using the source of the request and special request headers.<\/li><\/ul>\n
![\"\u3053\u306e\u30a8\u30f3\u30c8\u30ea\u30fc\u3092\u306f\u3066\u306a\u30d6\u30c3\u30af\u30de\u30fc\u30af\u306b\u8ffd\u52a0\"](\"\/\/b.hatena.ne.jp\/images\/entry-button\/button-only@2x.png\")
<\/a>