Leakage of sensitive data in JWT

Overview

Rule ID: javascript_lang_jwt
Applicable Languages: Javascript
Weakness ID: CWE-312

Description

Storing sensitive data in JWTs exposes it to potential security risks. While JWTs are meant for securely transmitting data between parties, they are not inherently secure for storing sensitive information.

Remediation Guidelines

Avoid including sensitive data, such as email addresses, in JWTs. This can result in unauthorized access to personal information.
```
const jwt = require('jsonwebtoken');
const token = jwt.sign({ user: { email: '[email protected]' }}); // unsafe
```
Use non-sensitive, unique identifiers like a user's UUID in JWTs to reference user information securely.
```
const jwt = require('jsonwebtoken');
const token = jwt.sign({ user: user.uuid });
```

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousLeakage of sensitive data in exception message NextLeakage of sensitive data in local storage

Last updated 1 year ago

hashtagOverview

hashtagDescription

hashtagRemediation Guidelines

hashtagReferences

hashtagConfiguration

Overview

Description

Remediation Guidelines

References

Configuration