Stop pasting JWTs into jwt.io
Developers are advised against pasting JSON Web Tokens (JWTs) into jwt.io due to security risks. When a token is pasted, it is sent to a third-party server, which can log sensitive information. Instead, developers should decode JWTs locally in their browser to avoid exposing authentication credentials.
- ▪Pasting JWTs into jwt.io sends authentication credentials to a third-party server.
- ▪JWT payloads are Base64url-encoded and readable, which poses a risk if sensitive information is included.
- ▪Developers can use client-side decoders that run entirely in the browser to avoid network requests.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3966227) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } rmb Posted on Jun 3 Stop pasting JWTs into jwt.io #javascript #security #tutorial #webdev You're debugging an authentication issue. The frontend is getting a 403. You copy the JWT from the Authorization header, open jwt.io in a new tab, paste it in, and check the claims. Most developers do this multiple times a week. I did too. The problem: jwt.io is a third-party website. When you paste a token there, you're sending your authentication credential to their servers.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
