Hi currently i have an angular application and java backend. in my angular component html i have some image such as profile photos. the resource that serves the image files is secured with spring security . so my quesiton is it bad to append json web tokens as part of an image url ? can it cause a security breach ? is it a bad practice ?
the following is how my angular code looks like from the chrome developer tool.
<div _ngcontent-c5="" class="avatar-circle bg-secondary text-brand-secondary" ng-reflect-klass="avatar-circle" ng-reflect-ng-class="bg-secondary,text-brand-second" style="background-image: url("http://localhost:8080/api/files/4eb81fa8-9c5d-4920-b0f5-c9239fb1cae7?access_token=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJnbG9iYWxhZG1pbkBsb2NhbGhvc3QiLCJhdXRoIjoiUk9MRV9HTE9CQUxfQURNSU4iLCJleHAiOjE1NjExOTkwNTh9.UFvdgZNxs_O1uTjtUh64ko3A47R2fxZxYFX0aXv2Jp_TkVrmlBT1mzN40JwclGk3m0sCZONKbnVhgXXKy69DfQ");">
<!--bindings={
"ng-reflect-ng-if": "false"
}-->
</div>
any help is appreciated . i would love to pass the access_token as part of the http get request header but i couldnt find a proper code anywhere. any help is appreciated.
A JSON Web Token (JWT, pronounced "jot") is a compact and URL-safe way of passing a JSON message between two parties. It's a standard, defined in RFC 7519.
You can also pass the token in as a paramater in the query string instead of as a header or a cookie (ex: /protected? jwt=<TOKEN>). However, in almost all cases it is recomended that you do not do this, as it comes with some security issues.
Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example as query string parameters). Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken.
2. The token can be used to access the application. If your JWT is stolen or compromised, then the attacker has full access to your account. The attacker can send requests to applications, pretending to be you, and can make potentially harmful changes.
Depending on the image, you may want to make it public available or consider a different way to send to token to the server (a cookie may help).
Can it cause a security breach? Is it a bad practice?
As mentioned in my previous answer, JWT tokens are URL-safe when it comes to their syntax. Here is a quote from the RFC 7519:
A JWT is represented as a sequence of URL-safe parts separated by period (
.
) characters. Each part contains a base64url-encoded value. [...]
However, when using JWT as bearer tokens, it's advisable to avoid sending them in the URL. See the following quote from the RFC 6750:
Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example, as query string parameters).
Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken.
Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With