What is missing or needs to be updated?
The Authentication Cheat Sheet currently references modern authentication mechanisms such as OAuth 2.0 and OpenID Connect, but does not explicitly address common implementation mistakes developers make when using JSON Web Tokens (JWTs). This can lead to insecure authentication and session handling in real-world applications.
How should this be resolved?
Add a new section titled "Common JWT Implementation Mistakes" to the Authentication Cheat Sheet to provide practical guidance for developers.
The section would focus on frequent errors observed in JWT-based authentication implementations, including:
- Risks of storing JWTs in browser-accessible storage
- Importance of setting appropriate token expiration
- Validating issuer, audience, and signature claims
- When JWTs are not the appropriate authentication mechanism
- Avoiding sensitive data in JWT payloads
This change would be limited to a single file and aim to provide concise, developer-focused recommendations.
References
- OWASP JSON Web Token Cheat Sheet
- RFC 7519
- OWASP Top 10: Identification and Authentication Failures
What is missing or needs to be updated?
The Authentication Cheat Sheet currently references modern authentication mechanisms such as OAuth 2.0 and OpenID Connect, but does not explicitly address common implementation mistakes developers make when using JSON Web Tokens (JWTs). This can lead to insecure authentication and session handling in real-world applications.
How should this be resolved?
Add a new section titled "Common JWT Implementation Mistakes" to the Authentication Cheat Sheet to provide practical guidance for developers.
The section would focus on frequent errors observed in JWT-based authentication implementations, including:
This change would be limited to a single file and aim to provide concise, developer-focused recommendations.
References