Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

jwt: Why is my token shown in Chrome DevTools?

Tags:

security

express

google-chrome-devtools

jwt

I have a API in Express.js that will create blog posts and add them to my database. When I make a request from my React app inside of DevTools it will show my JWT. I am worried that when my site goes live people can see my token and make a request from their site to add unwanted posts. Please tell me what is going on and how I can prevent the security error.

like image 345
Nathaniel Fredericks Avatar asked Nov 20 '17 22:11

Nathaniel Fredericks

People also ask

Can someone steal my JWT token?

JWT tokens provide secure access to an authenticated user, and attackers are always looking for ways to steal these tokens and quickly gain access by impersonating a consumer.

2 Answers

When you send a request with a token in the header it will look like this in the header pane in Developer Tools:

Token in request header

I assume that's what you are wondering whether is safe or not.

The connection between the React app and the API is unencrypted when you are using ordinary HTTP. That makes a replay attack possible – an ISP or another server between the front-end and the API can read the token and pretend to be you later on with the read token.

The most important solution to that is to use HTTPS, which is encrypted HTTP. Potential attackers are unable to sniff and steal the tokens when you are using HTTPS. When you are dealing with usernames, passwords, etc., you should always use HTTPS.

HTTPS is free to use and not very hard to set up. See here for more details. There is also an interesting discussion here that you might want to read.

like image 32
Mika Sundland Avatar answered Sep 24 '22 01:09

Mika Sundland

it's possible to see the JWT on the Chrome Dev tools because you are sending it as authorization header when creating a new blog post on your API, and you are making this request directly from the React application.

If the JWT is sensitive it should never be available on the front-end, you must have a server acting like a proxy, it should receive the request from the React application and then forward the request with JWT as the authorization header to your API.

Doing that you would avoid leaking the JWT, but it would still possible for someone to make requests to your proxy, which will be forwarded to your API.

If you want that only your react application be able to perform requests to your proxy, you could create a middleware which verifies the IP address of the incoming request (more details here), if it matches with your React app address then you accept the request, otherwise, you return a non-authorized error.

If you want only specific people to be able to create blog posts, then you should put authentication on the react application.

like image 73
nicolastrres Avatar answered Sep 24 '22 01:09

nicolastrres
Sign in to Comment

Related questions

Security of Android assets folder
what are the vulnerabilities in direct use of GET and POST?
How to hide or secure javascript code from client side [duplicate]
How do I get the current windows user's name in username@domain format?
How to erase StringBuilder memory with zero
Can a JavaScript hosted on different domain read/modify DOM of another domain?
Parse Pointer Permissions don't allow create
How does ReCAPTCHA work?
HDFS from Java - Specifying the User
Are Harvard architecture computers immune to arbitrary code injection and execution attacks?
Json: PHP to JavaScript safe or not?
When it is necessary to use Classes in PHP
Password hashing (non-SSL)
Prevent hidden input from being altered
Determining a User's Group Membership
Are sql injection attacks only a threat on a page that has a form?
md5 decoding. How they do it?
protect Java Application by licence or key [closed]
SecureRandom safe seed in Java
How to create a password reset link?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!