Missing Revoke Method on JWT

Overview

Rule ID: javascript_express_jwt_not_revoked
Applicable Languages: Javascript
Weakness ID: CWE-693

Description

Failing to implement a revoke method for JSON Web Tokens (JWTs) can lead to security vulnerabilities, especially when the tokens contain sensitive information. To maintain the integrity and confidentiality of data contained within JWTs, it is best practice to have a caching policy that always includes a revoke mechanism.

Remediation Guidelines

Do ensure JWTs are short-lived by implementing a method to revoke them. This reduces the risk of unauthorized access to sensitive information.
```
expressjwt({
  ...
  isRevoked: this.customRevokeCall(),
  ...
})
```

References

ExpressJWT documentation on revoking tokens
CWE-693: Protection Mechanism Failure

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousMissing origin check in message handler NextMissing Secure HTTP server Configuration

Last updated 1 month ago