is it bad to pass jwt token as part of url?

by

Depending on the image, you may want to make it public available or consider a different way to send to token to the server (a cookie may help).

Can it cause a security breach? Is it a bad practice?

As mentioned in my previous answer, JWT tokens are URL-safe when it comes to their syntax. Here is a quote from the RFC 7519:

A JWT is represented as a sequence of URL-safe parts separated by period (.) characters. Each part contains a base64url-encoded value. […]

However, when using JWT as bearer tokens, it’s advisable to avoid sending them in the URL. See the following quote from the RFC 6750:

Don’t pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example, as query string parameters).

Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken.

Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.

More Related Contents:

  1. If you can decode JWT, how are they secure?
  2. JWT (JSON Web Token) automatic prolongation of expiration
  3. Where to store JWT in browser? How to protect against CSRF?
  4. JWT refresh token flow
  5. Is it safe to put a jwt into the url as a query parameter of a GET request?
  6. Should JWT be stored in localStorage or cookie? [duplicate]
  7. Best practices for server-side handling of JWT tokens [closed]
  8. How does the SQL injection from the “Bobby Tables” XKCD comic work?
  9. Are HTTP cookies port specific?
  10. Salt Generation and open source software
  11. Is “double hashing” a password less secure than just hashing it once?
  12. Authentication versus Authorization
  13. Remove Server Response Header IIS7
  14. Is it safe to enable CORS to * for a public and readonly webservice?
  15. What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?
  16. Differences Between Rijndael and AES
  17. Convert .pfx to .cer
  18. Preventing Brute Force Logins on Websites
  19. Does HTML5 allow you to interact with local client files from within a browser
  20. Docker and securing passwords
  21. Should I hash the password before sending it to the server side?
  22. Send mail via Gmail with PowerShell V2’s Send-MailMessage
  23. Disable cross domain web security in Firefox
  24. CSRF protection: do we have to generate a token for every form?
  25. How to redirect all HTTP requests to HTTPS using .htaccess rules?
  26. SSO with CAS or OAuth?
  27. How do I secure REST API calls?
  28. What are best practices for securing the admin section of a website? [closed]
  29. How can I hash passwords in postgresql?
  30. How easily can you guess a GUID that might be generated?

Leave a Comment