Sensitive data in a JWT detected.

• Rule ID: ruby_lang_jwt
• Languages: ruby
• Source: jwt.yml

Description

JWTs are not a secure place to store sensitive data. This rule looks for any sensitive data types saved to a JWT.

Remediations

❌ Avoid storing sensitive data in JWT:

payload = { data: 'data', email: user.email }
token = JWT.encode payload, hmac_secret, 'HS256'

✅ If you need to store user's information, use their unique database identifier instead of personal identifiable information:

payload = { data: 'data', user_id: user.uuid }
token = JWT.encode payload, hmac_secret, 'HS256'

Associated CWE

• CWE-315: Cleartext Storage of Sensitive Information in a Cookie

OWASP Top 10

• A05:2021 - Security Misconfiguration