JWT authentication best practices
ฝัง
- เผยแพร่เมื่อ 28 มิ.ย. 2024
- Learn what JWT is along with its authentication best practices, including authenticating APIs and servers, authorizing across APIs and servers, how to expire a JWT token, and more, with TH-cam frontend content creator, @AlexMercedCoder.
You can find the original blog post here on the LogRocket blog: blog.logrocket.com/jwt-authen...
00:00 LogRocket intro
00:15 Intro to JWT authentication best practices
00:23 What is JWT?
03:06 When to use JWT authentication
03:29 Why we use JWT instead of sessions
05:00 Using JWT for API/server authentication
07:54 Using JWT to authorize operations across servers/APIs
10:36 How to expire a single JWT token
11:08 How to choose the best JWT library
11:55 How to securely store JWTs in a cookie
LogRocket is a frontend monitoring solution that combines session replay, performance monitoring, and product analytics to help software teams create an ideal product experience. Try it for free: logrocket.com/yt
Links
/ logrocket
/ logrocket
/ alexmercedcoder
/ alexmerced
AlexMercedCoder.com - วิทยาศาสตร์และเทคโนโลยี
I understand storing cookies in your browser storage makes you vulnerable of XSS attacks, but doesn't storing it in cookies enable CSRF attacks?
Yes, no method is perfect so you should still use CSRF token where needed. You could also use third party identity like Auth0 and just offload many of the security issues.
@@AlexMercedCoder After further reading, from what I've read, if you only accept e.g. application/json on your server side, you might not even need CSRF protection since these attacks use form posts, which do not support application/json as content type.
@@erikschouten1365 correct
@@AlexMercedCoder the guy who made the video should address that
did a fine job overall tho
Pronunciation of "library" gave me a slight cringe but I am thinking regional - are you in the south?
Great tutorial :)
This does not address a lot of problems with JWT. For instance, you cannot easily revoke tokens. Also, the concept of refresh token .