Sensitive data in a JWT detected.
- Rule ID: php_lang_jwt
- Languages: php
- Source: jwt.yml
Description
JWTs are not a secure place to store sensitive data. This rule looks for any sensitive data types saved to a JWT.
Remediations
❌ Avoid storing sensitive data in JWT:
$payload = [
'data' => 'data',
'email' => $user->email
];
$jwt = JWT::encode($payload, $key, 'HS256');
✅ If you need to store user's information, use their unique database identifier instead of personal identifiable information:
$payload = [
'data' => 'data',
'uuid' => $user->uuid
];
$jwt = JWT::encode($payload, $key, 'HS256');
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=php_lang_jwt
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=php_lang_jwt
Ready to take the next step? Learn more about Bearer Cloud.