is it bad to pass jwt token as part of url? - McMap

About

is it bad to pass jwt token as part of url?

Asked 23/5, 2019 at 10:50 Answered 23/5, 2019 at 11:11

Solved security jwt websecurity

F

1

11

Hi currently i have an angular application and java backend. in my angular component html i have some image such as profile photos. the resource that serves the image files is secured with spring security . so my quesiton is it bad to append json web tokens as part of an image url ? can it cause a security breach ? is it a bad practice ?

the following is how my angular code looks like from the chrome developer tool.

<div _ngcontent-c5="" class="avatar-circle bg-secondary text-brand-secondary" ng-reflect-klass="avatar-circle" ng-reflect-ng-class="bg-secondary,text-brand-second" style="background-image: url(&quot;http://localhost:8080/api/files/4eb81fa8-9c5d-4920-b0f5-c9239fb1cae7?access_token=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJnbG9iYWxhZG1pbkBsb2NhbGhvc3QiLCJhdXRoIjoiUk9MRV9HTE9CQUxfQURNSU4iLCJleHAiOjE1NjExOTkwNTh9.UFvdgZNxs_O1uTjtUh64ko3A47R2fxZxYFX0aXv2Jp_TkVrmlBT1mzN40JwclGk3m0sCZONKbnVhgXXKy69DfQ&quot;);">
  <!--bindings={
  "ng-reflect-ng-if": "false"
}-->
</div>

any help is appreciated . i would love to pass the access_token as part of the http get request header but i couldnt find a proper code anywhere. any help is appreciated.

Fair answered 23/5, 2019 at 10:50 Comment(1)

Possible duplicate of Is it safe to put a jwt into the url as a query parameter of a GET request? – Charmain 23/5, 2019 at 10:51

M

33

Depending on the image, you may want to make it public available or consider a different way to send to token to the server (a cookie may help).

Can it cause a security breach? Is it a bad practice?

As mentioned in my previous answer, JWT tokens are URL-safe when it comes to their syntax. Here is a quote from the RFC 7519:

A JWT is represented as a sequence of URL-safe parts separated by period (.) characters. Each part contains a base64url-encoded value. [...]

However, when using JWT as bearer tokens, it's advisable to avoid sending them in the URL. See the following quote from the RFC 6750:

Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example, as query string parameters).

Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken.

Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.

Magnetochemistry answered 23/5, 2019 at 11:11 Comment(2)

When would a JWT passed in a URL not be used as some sort of Bearer token? – Impale 25/2, 2023 at 11:56

In my personal scenario which I am researching, a customer places an order on my website and I put a link to an order status page in an email I send them. Therefore the security token effectively needs to be encoded in the URL. – Henrie 8/11, 2023 at 12:27

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.