Sensitive data in a JWT detected.

• Rule ID: php_lang_jwt
• Languages: php
• Source: jwt.yml

Description

JWTs are not a secure place to store sensitive data. This rule looks for any sensitive data types saved to a JWT.

Remediations

❌ Avoid storing sensitive data in JWT:

$payload = [
  'data' => 'data',
  'email' => $user->email
];
$jwt = JWT::encode($payload, $key, 'HS256');

✅ If you need to store user's information, use their unique database identifier instead of personal identifiable information:

$payload = [
  'data' => 'data',
  'uuid' => $user->uuid
];
$jwt = JWT::encode($payload, $key, 'HS256');

Associated CWE

• CWE-315: Cleartext Storage of Sensitive Information in a Cookie

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_jwt

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_jwt