Unrevoked JWT detected.

• Rule ID: javascript_express_jwt_not_revoked
• Languages: javascript
• Source: jwt_not_revoked.yml

Description

The best practice caching policy is to revoke JWTs especially when these contain senstitive information.

Remediations

✅ Ensure JWTs are short-lived by revoking them

expressjwt({
  ...
  isRevoked: this.customRevokeCall(),
  ...
})

Resources

• ExpressJWT documentation on revoking tokens

Associated CWE

• CWE-525: Use of Web Browser Cache Containing Sensitive Information

OWASP Top 10

• A04:2021 - Insecure Design