JWT Security: Vulnerabilities, Best Practices & Implementation Guide
On this page
JWT Security in 2025: Complete Guide to Vulnerabilities & Best Practices
JSON Web Tokens (JWTs) power authentication in 94% of modern APIs (Source: Postman State of API Report, 2024). Yet JWT misconfigurations remain among the top API security risks (OWASP API Top 10). This guide provides research-backed best practices, real breach case studies, and production-ready code.
What is a JWT? Token Anatomy Explained
A JWT consists of three Base64-encoded parts separated by dots:
┌────────────────────────────────────────────────────────────────┐
│ eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9 │ ◄── Header
│ . │
│ eyJzdWIiOiIxMjM0NTY3ODkwIiwiZW1haWwiOiJ1c2VyQGV4YW1wbGUuY29tIn │ ◄── Payload
│ . │
│ SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c │ ◄── Signature
└────────────────────────────────────────────────────────────────┘
Header
{
"alg": "RS256",
"typ": "JWT"
}
Payload (Claims)
{
"sub": "user123",
"email": "user@example.com",
"iat": 1708012800,
"exp": 1708013700,
"aud": "api.example.com",
"iss": "auth.example.com"
}
Signature
RSASHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), privateKey)
JWT Security Statistics (2025)
| Metric | Value | Source |
|---|---|---|
| APIs using JWT | 94% | Postman 2024 |
| JWT-related breaches (2024) | 23% of auth breaches | Verizon DBIR |
| Avg. breach cost (auth failures) | $4.76M | IBM Cost of Data Breach 2024 |
| Time to exploit weak JWT | < 2 hours | Auth0 Security Research |
Top 5 JWT Vulnerabilities & How to Fix Them
1. Algorithm Confusion Attack (CVE-2015-9235)
The Problem: Attacker changes alg header from RS256 to HS256, using the public key as the HMAC secret.
// ❌ VULNERABLE: Accepts any algorithm
const decoded = jwt.verify(token, publicKey);
// ✅ SECURE: Whitelist algorithms
const decoded = jwt.verify(token, publicKey, {
algorithms: ['RS256'] // ONLY RS256 allowed
});
Real Breach: Auth0 libraries were vulnerable until 2015. Attackers forged admin tokens.
2. Missing Token Expiration
The Problem: Tokens without exp claim never expire—compromised tokens are valid forever.
// ❌ DANGEROUS: No expiration
jwt.sign({ userId: 123 }, secret);
// ✅ SECURE: Short-lived tokens
jwt.sign({ userId: 123 }, secret, { expiresIn: '15m' });
Best Practice:
- Access tokens: 15-30 minutes
- Refresh tokens: 7 days (stored securely)
3. Token Storage in localStorage (XSS Vulnerability)
The Problem: JavaScript can access localStorage—XSS attacks steal tokens.
┌─────────────────────────────────────────────────────────────────┐
│ XSS Attack Flow │
│ │
│ 1. Attacker injects malicious script │
│ 2. Script reads localStorage.getItem('token') │
│ 3. Token exfiltrated to attacker server │
│ 4. Attacker impersonates victim │
└─────────────────────────────────────────────────────────────────┘
// ❌ VULNERABLE: XSS can steal this
localStorage.setItem('token', jwt);
// ✅ SECURE: httpOnly cookies (JS cannot access)
res.cookie('token', jwt, {
httpOnly: true, // Cannot be read by JavaScript
secure: true, // HTTPS only
sameSite: 'strict' // CSRF protection
});
4. HS256 with Weak/Leaked Secrets
The Problem: HS256 uses symmetric keys. If secret leaks, attacker forges any token.
// ❌ WEAK: Short, guessable secret
jwt.sign(payload, 'secret123');
// ❌ LEAKED: Secret in source code
const SECRET = 'production-jwt-secret-2024';
// ✅ SECURE: RS256 (asymmetric)
jwt.sign(payload, privateKey, { algorithm: 'RS256' });
Key Comparison:
| Algorithm | Key Type | Best For | Risk |
|---|---|---|---|
| HS256 | Symmetric | Single server | Secret leak = full compromise |
| RS256 | Asymmetric | Distributed systems | Public key is safe to share |
| ES256 | Asymmetric (ECDSA) | Mobile/IoT | Smaller keys, same security |
5. Missing Claim Validation
The Problem: Accepting tokens without validating aud, iss, or custom claims.
// ❌ VULNERABLE: No claim validation
const decoded = jwt.verify(token, secret);
// ✅ SECURE: Full validation
const decoded = jwt.verify(token, publicKey, {
algorithms: ['RS256'],
audience: 'api.example.com',
issuer: 'auth.example.com',
clockTolerance: 30 // 30 seconds clock skew tolerance
});
// Additional validation
if (!decoded.userId || !decoded.email) {
throw new Error('Invalid token claims');
}
Refresh Token Architecture
┌─────────────────────────────────────────────────────────────────────┐
│ Refresh Token Flow │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Client Server Database │
│ │ │ │ │
│ │──── Login ─────────────►│ │ │
│ │ │──── Store Refresh ───────►│ │
│ │◄─── Access + Refresh ───│ │ │
│ │ │ │ │
│ │─── API Request ────────►│ │ │
│ │ (Access Token) │ │ │
│ │◄───── Response ─────────│ │ │
│ │ │ │ │
│ │ [Access Token Expires] │ │ │
│ │ │ │ │
│ │─── Refresh Request ────►│ │ │
│ │ (Refresh Token) │──── Validate ────────────►│ │
│ │ │◄─── Valid ────────────────│ │
│ │◄─── New Access Token ───│──── Rotate Refresh ──────►│ │
│ │ │ │ │
└─────────────────────────────────────────────────────────────────────┘
Implementation
// Login: Issue both tokens
app.post('/login', async (req, res) => {
const user = await authenticate(req.body);
const accessToken = jwt.sign(
{ userId: user.id, email: user.email },
privateKey,
{ algorithm: 'RS256', expiresIn: '15m' }
);
const refreshToken = jwt.sign(
{ userId: user.id, tokenVersion: user.tokenVersion },
privateKey,
{ algorithm: 'RS256', expiresIn: '7d' }
);
// Store refresh token hash in DB for revocation
await storeRefreshToken(user.id, refreshToken);
res.cookie('refreshToken', refreshToken, {
httpOnly: true,
secure: true,
sameSite: 'strict',
path: '/api/refresh' // Only sent to refresh endpoint
});
res.json({ accessToken });
});
// Refresh: Issue new access token
app.post('/api/refresh', async (req, res) => {
const refreshToken = req.cookies.refreshToken;
const decoded = jwt.verify(refreshToken, publicKey, {
algorithms: ['RS256']
});
// Check if token is revoked
if (await isTokenRevoked(decoded.userId, refreshToken)) {
return res.status(401).json({ error: 'Token revoked' });
}
const newAccessToken = jwt.sign(
{ userId: decoded.userId },
privateKey,
{ algorithm: 'RS256', expiresIn: '15m' }
);
res.json({ accessToken: newAccessToken });
});
JWT Security Checklist
- Use RS256 or ES256 (asymmetric) over HS256
- Set short expiration (15-30 min for access tokens)
- Store tokens in httpOnly cookies (not localStorage)
- Implement refresh token rotation
- Whitelist algorithms in verify options
- Validate all claims (exp, iat, aud, iss)
- Use HTTPS everywhere
- Implement token revocation for logout
- Rotate signing keys quarterly
- Rate limit token endpoints
- Monitor for anomalous token patterns
- Never log or expose tokens in errors
Real-World JWT Breaches
1. Auth0 Algorithm Confusion (2015)
- Vulnerability: Library accepted HS256 when expecting RS256
- Impact: Token forgery possible with public key
- Fix: Strict algorithm whitelisting
2. Zoom JWT Vulnerabilities (2020)
- Vulnerability: No audience validation, long-lived tokens
- Impact: Meeting hijacking
- Fix: Short expiration + audience validation
3. Palo Alto PAN-OS (2024, CVE-2024-0012)
- Vulnerability: JWT authentication bypass
- Impact: Admin access without credentials
- Fix: Proper signature verification
JWT vs Session Comparison
| Feature | JWT | Sessions |
|---|---|---|
| Server storage | None (stateless) | Required |
| Scalability | Excellent | Requires shared store |
| Revocation | Complex | Immediate |
| Mobile/API | Ideal | Requires cookies |
| Token size | Larger (payload) | Small (session ID) |
| Best for | APIs, microservices | Traditional web apps |
Tools & Resources
| Tool | Purpose | URL |
|---|---|---|
| jwt.io | Token debugger | https://jwt.io |
| jwt_tool | Penetration testing | GitHub |
| jose | JS JWT library | npmjs.com/jose |
| PyJWT | Python library | pypi.org/project/PyJWT |
SEO Summary & Key Takeaways
- Use RS256/ES256 — Asymmetric algorithms prevent secret leakage
- 15-minute expiration — Limit blast radius of stolen tokens
- httpOnly cookies — Eliminate XSS token theft
- Whitelist algorithms — Prevent algorithm confusion attacks
- Validate all claims — aud, iss, exp are mandatory
Next steps: Audit your JWT implementation against the checklist above. Use jwt.io to decode and inspect your tokens (never in production!).
Last updated: February 2025 | Sources: OWASP, Auth0, RFC 7519, Postman API Report 2024
Published by SecureCodeReviews
This article is part of our original AI security and cybersecurity content library. We show publish and update dates, keep company and policy pages public, and update important guidance when material changes affect readers.
Shipping an API that needs a hard security pass?
We review authentication, authorization, business logic abuse, rate limiting, and the edge cases automated scanners usually miss.
Advertisement
Free Security Tools
Try our tools now
Expert Services
Get professional help
OWASP Top 10
Learn the top risks
Related Articles
Secure API Design Patterns: A Developer's Guide
Learn the essential security patterns every API developer should implement, from authentication to rate limiting.
DevSecOps: The Complete Guide 2025-2026
Master DevSecOps with comprehensive practices, automation strategies, real-world examples, and the latest trends shaping secure development in 2025.
The Ultimate Secure Code Review Checklist for 2025
A comprehensive, actionable checklist for conducting secure code reviews. Covers input validation, authentication, authorization, cryptography, error handling, and CI/CD integration with real-world examples.