Reputation: 129
secured API with a JWT
I am currently learning how JWT is working and I am making an API with. I've made a middleware function so for each call to a secured route, the middleware is called and analyze the accessToken. I pass the token in the header of HTTP request in the field authorization, but here is my question :
is anybody can look at the access token in the header of a HTTP request ? because if it's the case this is really not secure no? anybody can look the accessToken of his friend and make api request with ?
I already make a refresh function to get a new access token when it expires, but my /refreshroute is without middleware because the accessToken is expired when we call the refreshroute. So the /refreshroute is also not secure and it returns a new accessToken ....
please help me I really want to learn how it works...
Upvotes: 1
Views: 89
Answers (1)
Reputation: 938
It depends on the type of connection you are sending the request using:
- If the request is sent using an SSL encryption (ie HTTPS), then you probably won't have to worry about anyone looking at the headers, as the strong encryption will not allow anyone else to look at the request except the recipient(server).
- However, if there is no SSL encryption, then the payload sent to the server is exposed and open for prying eyes and vulnerable to MITM attacks.
Upvotes: 1
Related Questions
- Node.js JWT refresh token in express middleware
- How to secure JWT token and refresh token in nodejs/angular
- jwt access token and refresh token flow
- Access token + Refresh token right approach?
- JWT authentication & refresh token implementation
- JWT refresh Token Implementation
- JWT Token Refresh Invoking
- Access Token and Refresh Token Dilema - JWT
- Refreshing JWT token - Do it? When?
- JWT refresh token or not