Update Authentication Cheat Sheet: add Common JWT Implementation Mistakes section#2101
Open
franrob-projects wants to merge 1 commit intoOWASP:masterfrom
Conversation
…akes section Closes OWASP#1973 Adds a new 'Common JWT Implementation Mistakes' subsection under the OAuth 2.0 / OpenID Connect block, covering five practical mistakes developers make when integrating JWTs into authentication flows: - Storing JWTs in browser-accessible storage (localStorage/sessionStorage) - Missing or insufficient token expiration (exp claim) - Failing to validate iss, aud, sub, and signature claims - Placing sensitive data in unencrypted JWT payloads - Using JWTs in scenarios that require immediate revocation Each mistake includes a concrete recommendation. Section links to the OWASP JWT Cheat Sheet for deeper attack/defence detail.
franrob-projects
requested review from
jmanico,
kwwall,
mackowski and
szh
as code owners
andrzejsydor
approved these changes
Apr 20, 2026
franrob-projects
added a commit
to franrob-projects/portfolio
that referenced
this pull request
Apr 21, 2026
- Add TeachYAR and GibTrain (Gibraltar Compliance) project cards. Extend Project interface with an optional live URL and a "Live site" button. GibTrain links to its GitHub Pages deployment. - Add "Open-source contributions" subsection listing five docs PRs: graphprotocol/docs#1096, open-telemetry/opentelemetry.io#9711, redpanda-data/docs#1656, OWASP/CheatSheetSeries#2101 and #2100. Styled with repo code-tag, state pill, and PR number. - Home page copy: "Tech writer" -> "All things docs", "My writer journey" -> "My journey". - Expand the Ably entry with the docs re-engineering work (Textile -> Next.js + TypeScript + React) and link the two merged MDX conversion PRs: ably/docs#2911 (REST API) and #2913 (SSE). - Expand docs/ably/index.md with a new "Re-engineering the docs site" section plus images across SSE, webhooks, pub/sub, troubleshooting, and architecture. Add a troubleshooting subsection linking ably/docs#2984 (HAR file guide) and #2818 (service disruptions). - Rename static/img/ably/ably-troubleshooting/ (drop the trailing space in the directory name that was breaking image references). - Remove em-dashes from site content (projects page, 3 blog post alt-texts) using contextual substitutions: colons for titles and list intros, commas/periods for mid-sentence pauses, parens for a parenthetical, pipe for the HTML page title. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Collaborator
|
@jmanico please take a look on this one |
mackowski
reviewed
Apr 26, 2026
|
|
||
| JWTs are designed for stateless, short-lived bearer credentials. They are a poor fit for scenarios that require immediate revocation (for example, after a security event such as a password change or account suspension), because the token remains cryptographically valid until its `exp` is reached. | ||
|
|
||
| **Recommendation:** For sessions that require instant revocation, supplement JWTs with a server-side denylist keyed on the `jti` (JWT ID) claim, or replace JWTs with opaque session tokens backed by a session store that can be invalidated on demand. |
Collaborator
There was a problem hiding this comment.
This advice is incomplete for distributed systems. I would add something like:
"the denylist must be shared across all service instances (e.g., in Redis or a database), not held in
memory per instance"
andrzejsydor
approved these changes
Apr 26, 2026
Member
|
Folks we have an entire JWT cheatsheet... https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html Can we add this work there instead and link to it? |
jmanico
requested changes
Apr 26, 2026
Member
jmanico
left a comment
jmanico
left a comment
There was a problem hiding this comment.
Suggest making changes to https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html instead
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR addresses
Closes #1973
The Authentication Cheat Sheet covers OAuth 2.0 and OpenID Connect but does not address the common mistakes developers make specifically when implementing JWT-based authentication. Given how frequently JWTs appear in modern app stacks, this is a practical gap.
Changes
Adds a new
### Common JWT Implementation Mistakessubsection directly after the OpenID Connect section, covering five concrete mistakes with recommendations for each:Storing JWTs in browser-accessible storage —
localStorage/sessionStorageexposure via XSS; recommendation to useHttpOnlycookies for refresh tokens and in-memory storage for access tokens.Missing or insufficient token expiration — tokens without
expor with far-future expiry cannot be revoked; recommendation for short access token TTLs (15 min–1 hr) with refresh token rotation.Failing to validate
iss,aud,sub, and signature claims — recommendation to always verify all four, and to never acceptalg: none.Placing sensitive data in JWT payloads — payloads are Base64Url-encoded, not encrypted; recommendation to use JWE or opaque tokens when sensitive claims are required.
Using JWTs where immediate revocation is needed — JWTs remain valid until
exp; recommendation to use ajtidenylist or opaque session tokens for high-security contexts.Section closes with a link to the OWASP JSON Web Token Cheat Sheet for deeper coverage.
Checklist
[TEXT](URL)AI Tool Usage Disclosure