Web SecurityAlso called: "jwt", "bearer token"
JWTs consist of three parts: header, payload, and signature, separated by dots.
Structure
- Header: Algorithm and token type.
- Payload: Claims about the user or session.
- Signature: Cryptographic verification using a secret key.
Security considerations
- Never store sensitive data in the payload (it's base64-encoded, not encrypted).
- Validate signatures on every request to prevent tampering.
- Set short expiration times and implement refresh token rotation.
- Use strong signing algorithms (RS256, ES256) over HS256 when possible.
Explore More Web Security
View all termsCross-Site Request Forgery (CSRF)
An attack that tricks a victim into submitting unauthorized requests using their authenticated session.
Read more →Cross-Site Scripting (XSS)
A web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
Read more →HTML Entity Encoding
A method of representing special characters in HTML using named or numeric references to prevent interpretation as code.
Read more →HTTP Cookie
Small pieces of data stored by web browsers, used for session management, personalization, and tracking.
Read more →HTTP Security Headers
Response headers that enable browser security protections against common web attacks.
Read more →Subresource Integrity (SRI)
A security feature that allows browsers to verify that files from CDNs have not been tampered with.
Read more →