Reputation: 277
Is JWT authentication is secure?how it protect CORS?
i have implemented the tokken based authentication in my project instead of the cookie-session based authentication. So, in jwt(jason-web-tokkens), every time is send req to server,I in headers attach the tokken and send it to server which validate it against the secret is used in generation the tokkkne in the first time and send me the response. Now, i have concern about it, first the tokken is saved in the local storage in browser.although the tokken is hashed but what if the hacker just take that tokken from storage and use it? can anyone tell me how it stop the CORS attack? I'm confused and cannot find any reliable answer online.
Upvotes: 1
Views: 1046
Answers (1)
Reputation: 4913
By CORS I think you are referring to XSS attacks? If so, the best way to prevent XSS is to secure your app against untrusted input. That is easier said than done, here is some information on that:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
The easier way to prevent XSS is to store the token in a Secure, HTTP only cookie. This means that the Javascript environment cannot touch it, and it will only be sent over secure channels.
Nothing comes for free though :) If you put the token in a cookie, you will also need to setup a CSRF prevention strategy:
https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet
This can be a lot to take in!
I work at Stormpath and I recently wrote this blog post that covers these topics: Token Based Authentication for Single Page Apps (SPAs)
Upvotes: 2
Related Questions
- NodeJS Authorize with JWT token
- Token Authentication - JWT
- Node.js API with JWT authentication
- How is JWT token authenticated?
- Properly authenticating users and preventing attacks with jwt
- authentication using JWT in NodeJS
- Questions regarding JWT
- Concerned about JWT security
- JSON Web Token (JWT) Security
- Node & Token Based Security