Sign in Subscribe

Topic

JWT

A collection of 5 issues

Why PASETO Might Not Be the JWT Replacement We Hoped For

PASETO, a potential alternative to JWT, has sparked conversations within the security and developer community alike (for once). While PASETO has garnered some attention as a potential JWT replacement, it's essential to highlight the project's key points and gather insights from its founders and supporters to

JWT: A Cryptographic Love Story with Security, Vulnerabilities, and a State of Confusion

Folks, remember to be careful with your JWTs. Use strong cryptographic algorithms, manage those secret keys like they're your firstborn child, and always, always validate those JWTs like your life depends on it. And for goodness' sake, keep your sensitive information under lock and key! Benefits Imagine

JWT Patterns that provide real security benefits

Throughout this post we will keep an YUK WORD tally of things that are not security characteristics of JWT, that many so-called JWT experts (and everyone else) assume are "a thing" that really are just hand-waving nonsense. Starting with; verify is not validation YUK WORD verify Verify vs

Really giving a jot about JWTs

Instacart Sr Security Engineer David Gillman (or Gilman? Either OWASP or LASCON got it wrong) presented a talk in 2021 and followed up with a podcast interview released today. One thing David is excellent at describing developer benefits, and developer-centric Patterns and Anti-Patterns when using JWT. If you are an

JWT and HMAC in the browser, safe?

Is using JWT and HMAC in the browser, safe? How could they be? Don't they require a pre-shared secret? How can it be "secret" in the browser!? Secrets can actually be "secret" in browsers and apps, but almost always isn't securely shared