#71: Break Into JSON Web Token (3 Minutes)
The biggest thing about JWTs: since they’re stateless, they scale really well.
No need for the server to remember who you are between requests.
Nice read, Neo!
thanks a lot, Raul!
It's also important to mention that even if we try to embed some more information in the token, it will get rejected from the Server because it won't be valid.
Great article, Neo!
thanks Petar!
Super interesting about how JWT works.
I wonder how a man in the middle attack works in regards to this
nice to see you here, Uriel.
- default to HTTPS
- server validates the JWT signature each time, so it's difficult to spoof
- encrypt JWT (https://www.rfc-editor.org/rfc/rfc7516)
- some best practices: https://newsletter.systemdesign.one/i/162682441/jwt-security
Thanks Neo!
I'll take a look :)
Can you elaborate on how JWK sets work with JWTs: https://stytch.com/blog/understanding-jwks/
hey Stephen, will try to cover it in a future article. Thanks!
If only the server which signed the JWT can verify it, how does it solve the problem of NOT having single point of failure?
It does not... you should use other techniques such as public and private keys to ensure other servers can verify the JWT.
https://fromcodetocorneroffice.substack.com/
For your security, we need to re-authenticate you.
Click the link we sent to , or click here to sign in.
The biggest thing about JWTs: since they’re stateless, they scale really well.
No need for the server to remember who you are between requests.
Nice read, Neo!
thanks a lot, Raul!
It's also important to mention that even if we try to embed some more information in the token, it will get rejected from the Server because it won't be valid.
Great article, Neo!
thanks Petar!
Super interesting about how JWT works.
I wonder how a man in the middle attack works in regards to this
nice to see you here, Uriel.
- default to HTTPS
- server validates the JWT signature each time, so it's difficult to spoof
- encrypt JWT (https://www.rfc-editor.org/rfc/rfc7516)
- some best practices: https://newsletter.systemdesign.one/i/162682441/jwt-security
Thanks Neo!
I'll take a look :)
Can you elaborate on how JWK sets work with JWTs: https://stytch.com/blog/understanding-jwks/
hey Stephen, will try to cover it in a future article. Thanks!
If only the server which signed the JWT can verify it, how does it solve the problem of NOT having single point of failure?
It does not... you should use other techniques such as public and private keys to ensure other servers can verify the JWT.
https://fromcodetocorneroffice.substack.com/