Is it safe to put a jwt into the url as a query parameter of a GET request?

by

It can be safe under the following circumstances:

  1. the JWT is one-time time usage only
  2. the jti and exp claims are present in the token
  3. the receiver properly implements replay protection using jti and exp

but in case it is used as a token that can repeatedly be used e.g. against an API then supplying it as a query parameter is less preferred since it may end up in logs and system process information, available to others that have access to the server or client system. In that case would be better to present it as part of a header or a POST parameter.

Besides that, by using it in the query parameters you may run in to URL size limitations on browsers or servers; using it in a header provides some more space, using it as a POST parameter would work best.

More Related Contents:

  1. How to redirect all HTTP requests to HTTPS
  2. Are HTTP cookies port specific?
  3. If you can decode JWT, how are they secure?
  4. JWT (JSON Web Token) automatic prolongation of expiration
  5. Where to store JWT in browser? How to protect against CSRF?
  6. JWT refresh token flow
  7. Should JWT be stored in localStorage or cookie? [duplicate]
  8. Is HTTP header Referer sent when going to a http page from a https page?
  9. Is it OK to return a HTTP 401 for a non existent resource instead of 404 to prevent information disclosure?
  10. How to redirect all HTTP requests to HTTPS using .htaccess rules?
  11. WS on HTTP vs WSS on HTTPS
  12. Best practices for server-side handling of JWT tokens [closed]
  13. How to send password securely via HTTP using Javascript in absence of HTTPS?
  14. is it bad to pass jwt token as part of url?
  15. The definitive guide to form-based website authentication [closed]
  16. Disable browser ‘Save Password’ functionality
  17. JWT authentication for ASP.NET Web API
  18. SHA512 vs. Blowfish and Bcrypt [closed]
  19. Will web browsers cache content over https
  20. Encrypting/Hashing plain text passwords in database [closed]
  21. Disable firefox same origin policy
  22. SSL and man-in-the-middle misunderstanding
  23. Is it possible to reverse a SHA-1?
  24. SPA best practices for authentication and session management
  25. Symfony2 extending DefaultAuthenticationSuccessHandler
  26. What is a retpoline and how does it work?
  27. Why not use MD5 for password hashing?
  28. How to manually decrypt an ASP.NET Core Authentication cookie?
  29. Use App Scripts to open form and make a selection
  30. How does ASN.1 encode an object identifier?

Leave a Comment