Basiran
In the high-stakes environment of modern software engineering, authentication is the cornerstone of system integrity. Yet, a recent incident at a mid-sized technology firm—where a developer attempted to pass sensitive user data, including CPF numbers and password hashes, directly within a JSON Web Token (JWT) payload—has reignited a long-standing debate within the developer community. The developer, operating under the dangerous misconception that Base64 encoding equates to encryption, nearly exposed the entire user base before a vigilant code review intercepted the Pull Request (PR).
While this specific incident was caught in time, it highlights a systemic issue: developers are increasingly adopting JWTs as the "default" authentication standard without fully grasping the cryptographic foundations or the architectural trade-offs involved.
The Architectural Choice: JWT vs. Server-Side Sessions
Before a single line of code is written, architects must decide between a stateless (JWT) or stateful (Session + Redis) approach. The choice is not merely technical; it defines the security perimeter of the application.
Comparison Matrix
| Criteria | JWT (Stateless) | Session + Redis (Stateful) |
|---|---|---|
| Immediate Revocation | Not native | Simple (destroy session) |
| Horizontal Scalability | High (no shared state) | Requires shared Redis |
| Microservices | Ideal (token carries context) | Complex (requires shared access) |
| Instant Logout | Only with blocklist | Native |
| Implementation Complexity | Moderate | Low |
The industry has trended toward JWTs for microservices and mobile APIs because they eliminate the need for a centralized session store. However, this convenience comes at a cost. When an organization chooses JWT simply because it is "modern," they often fail to account for the lack of native revocation. In a system where immediate security responses—such as banning a compromised account or forced password resets—are required, a stateless JWT approach can lead to a significant security gap.
Understanding the JWT Anatomy
To prevent the next security incident, teams must move past the idea that JWTs are "magic black boxes." A JWT is a signing mechanism, not an encryption layer. It consists of three distinct parts separated by dots: the Header, the Payload, and the Signature.
The Structure
- Header: Defines the algorithm (e.g., HS256).
- Payload: Contains the claims (e.g.,
sub,role,exp). This section is merely Base64URL-encoded and can be decoded by anyone. - Signature: The mathematical proof that the token has not been tampered with, generated using a
JWT_SECRET.
The danger lies in the developer’s perception. Because the data is "encoded," it looks obscured to the untrained eye. However, tools like the JWT Decoder demonstrate that this data is human-readable in milliseconds. Security in JWTs is derived entirely from the integrity of the signature, not the secrecy of the payload.
The Five Pillars of JWT Compromise
Beyond the "Base64 is encryption" myth, there are five specific, dangerous patterns that regularly compromise production APIs.
1. Sensitive Data in the Payload
The most egregious error is storing sensitive information like credit card numbers or raw password hashes. If the secret is leaked, or if a developer logs the tokens for debugging, the entire user record is exposed. The golden rule is: Carry only the authorization context (user ID, roles, permissions) in the payload.
2. The none Algorithm Vulnerability
Some legacy libraries allow the alg: "none" header. An attacker can modify the payload and set the algorithm to "none," effectively bypassing the signature check. Always explicitly define the allowed algorithms in your code:
jwt.verify(token, secret, algorithms: ["HS256"] );
3. Weak Secrets and Repository Leaks
Hardcoding a secret like super-secret-123 or committing the secret to a Git repository is a fatal flaw. A short, predictable secret can be cracked via offline brute force. Use cryptographically strong, randomly generated keys stored in secure environments like AWS Secrets Manager or HashiCorp Vault.
4. Missing Expiration (exp)
A token without an expiration claim is a "forever" token. If it is intercepted, the attacker gains permanent access. Always implement short-lived access tokens (e.g., 15 minutes) to minimize the blast radius of any potential compromise.
5. Ignoring aud and iss in Multi-Service Architectures
In environments with multiple microservices, a token generated for "Service A" might be accepted by "Service B" if the system does not validate the Audience (aud) and Issuer (iss) claims. This allows for lateral movement by attackers who exploit service-to-service trust.
The Role of Secure Storage
Where you store the token on the client side is a battle between XSS (Cross-Site Scripting) and CSRF (Cross-Site Request Forgery) protections.
- LocalStorage: Vulnerable to XSS. If a malicious script runs on your page, it can steal the token.
- HttpOnly Cookies: Immune to XSS, but vulnerable to CSRF. By setting the
HttpOnly,Secure, andSameSite=Strictflags, developers can effectively mitigate the majority of these risks.
The consensus among security professionals is that HttpOnly cookies provide a significantly more robust defense-in-depth strategy for web-based applications, as they prevent client-side scripts from interacting with the sensitive token data.
Refresh Token Rotation: The "Gold Standard" for Stateless Security
Because access tokens must be short-lived for security, the implementation of a "Refresh Token" flow is necessary. However, a static refresh token is just as dangerous as a long-lived access token. The solution is Refresh Token Rotation.
In this flow, every time a refresh token is used to obtain a new access token, the old refresh token is invalidated, and a brand-new one is issued. By tracking a familyId in a database, the system can detect if an old refresh token is reused—a definitive sign that the token has been stolen. If a "reuse" event occurs, the system can immediately revoke the entire family of tokens, effectively kicking the attacker out of the system.
Summary Checklist for Production
Before deploying any JWT-based system, engineering leads should ensure the following:
- Signature Enforcement: Are you verifying the algorithm?
- Secret Management: Is the
JWT_SECRETrotated and stored outside of source control? - Claims Validation: Are
exp,iat,aud, andisschecked on every request? - Storage Strategy: Are you using
HttpOnlycookies where possible? - Revocation Mechanism: Is there a process for handling account lockouts?
Final Thoughts: When to Choose Sessions
JWTs are an incredible tool for modern, distributed architectures, but they are not a "silver bullet." If your application requires high-granularity control—such as the ability to force a global logout for a user across all devices or immediate permissions propagation—server-side sessions remain the more secure and simpler architecture.
The incident that triggered this analysis was a "near miss," but it serves as a wake-up call for the industry. Security is not about choosing the trendiest tool; it is about understanding the mechanics beneath the surface and treating every byte of data as a potential vulnerability.
Sagoh
Lina Hope
Suro Senen
Layla Zulfa
Raul Delapena Setiawan
Dwi Wanna