Sensitive data in a JWT detected.
- Rule ID: javascript_lang_jwt
- Languages: javascript
- Source: jwt.yml
Description
JWTs are not a secure place to store sensitive data. This rule looks for any sensitive data types saved to a JWT.
Remediations
❌ Avoid storing sensitive data in JWTs:
const jwt = require('jsonwebtoken');
const token = jwt.sign({ user: { email: 'jhon@gmail.com' }});
✅ If you need to store user's information, use their unique database identifier instead of personal identifiable information:
const jwt = require('jsonwebtoken');
const token = jwt.sign({ user: user.uuid });
Resources
Associated CWE
OWASP Top 10
Ready to take the next step? Join the Bearer Cloud waitlist.