security - Is it safe to put a jwt into the url as a query parameter of a GET request?

Question

Welcome To Ask or Share your Answers For Others

security - Is it safe to put a jwt into the url as a query parameter of a GET request?

1 Answer

深蓝 · Answer 1 · 2021-10-16T22:35:21+0000

It can be safe under the following circumstances:

the JWT is one-time time usage only
the jti and exp claims are present in the token
the receiver properly implements replay protection using jti and exp

but in case it is used as a token that can repeatedly be used e.g. against an API then supplying it as a query parameter is less preferred since it may end up in logs and system process information, available to others that have access to the server or client system. In that case would be better to present it as part of a header or a POST parameter.

Besides that, by using it in the query parameters you may run in to URL size limitations on browsers or servers; using it in a header provides some more space, using it as a POST parameter would work best.

Categories

security - Is it safe to put a jwt into the url as a query parameter of a GET request?

security - Is it safe to put a jwt into the url as a query parameter of a GET request?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags