Products Book A Demo Contact Us

Leakage of sensitive data in JWT

Overview

  • Rule ID: javascript_lang_jwt

  • Applicable Languages: Javascript

  • Weakness ID: CWE-312

Description

Storing sensitive data in JWTs exposes it to potential security risks. While JWTs are meant for securely transmitting data between parties, they are not inherently secure for storing sensitive information.

Remediation Guidelines

  • Avoid including sensitive data, such as email addresses, in JWTs. This can result in unauthorized access to personal information.

    const jwt = require('jsonwebtoken');
const token = jwt.sign({ user: { email: 'john@gmail.com' }}); // unsafe

  • Use non-sensitive, unique identifiers like a user's UUID in JWTs to reference user information securely.

    const jwt = require('jsonwebtoken');
const token = jwt.sign({ user: user.uuid });

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousLeakage of sensitive data in exception messageNextLeakage of sensitive data in local storage

Last updated