Never Trust The Client
In this lesson, we'll see how JWTs can be used to prevent clients from tampering with data.
We'll cover the following...
As we’ve seen before, cookies that are issued by our servers can be tampered with, especially if they’re not HttpOnly
and are accessible by JS code on your page.
At the same time, even if your cookies are HttpOnly
, storing plaintext data in them is not secure, as any client (even curl
), could get a hold of those cookies, modify them and re-issue a request with a modified version of the original cookie.
Suppose your session cookie contains this information:
profile=dXNlcm5hbWU9TGVCcm9uLHJvbGU9dXNlcg==;
The string is base64-encoded, and anyone could reverse it to get to its actual value, username=LeBron,role=user
. Anyone could, at that point, replace user
with admin
and re-encode the string, altering the value of the cookie.
If your system trusts this cookie without any additional check, you’re in trouble. You should never trust the client and prevent them from being able to easily tamper with the data you’ve handed off. A popular workaround to this issue is to encrypt or sign this data, like JSON Web Tokens do.
JSON Web Tokens
Let’s drift for a second and dive into JWT, as their simplicity lets us understand the security mechanism behind them extremely well. A JWT is made of three parts: ...