Unrevoked JWT detected.

• Rule ID: javascript_express_jwt_not_revoked
• Languages: javascript
• Source: jwt_not_revoked.yml

Description

The best practice caching policy is to revoke JWTs especially when these contain senstitive information.

Remediations

✅ Ensure JWTs are short-lived by revoking them

expressjwt({
  ...
  isRevoked: this.customRevokeCall(),
  ...
})

Resources

• ExpressJWT documentation on revoking tokens

Associated CWE

• CWE-525: Use of Web Browser Cache Containing Sensitive Information

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_jwt_not_revoked

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_jwt_not_revoked