问题描述
将 jwt(json 网络令牌)作为 GET 请求的查询参数放入 url 是否安全?
Is it safe to put a jwt (json web token) into the url as a query parameter of a GET request?
推荐答案
在以下情况下是安全的:
It can be safe under the following circumstances:
- JWT 只能一次性使用
jti
和exp
声明存在于令牌中- 接收器使用
jti
和exp
正确实现重放保护
- the JWT is one-time time usage only
- the
jti
andexp
claims are present in the token - the receiver properly implements replay protection using
jti
andexp
但如果它被用作可以重复使用的令牌,例如针对 API,然后将其作为查询参数提供是不太受欢迎的,因为它可能最终出现在日志和系统进程信息中,可供其他有权访问服务器或客户端系统的人使用.在这种情况下,最好将其作为标头或 POST 参数的一部分呈现.
but in case it is used as a token that can repeatedly be used e.g. against an API then supplying it as a query parameter is less preferred since it may end up in logs and system process information, available to others that have access to the server or client system. In that case would be better to present it as part of a header or a POST parameter.
此外,通过在查询参数中使用它,您可能会遇到浏览器或服务器上的 URL 大小限制;在标头中使用它会提供更多空间,将其用作 POST 参数效果最佳.
Besides that, by using it in the query parameters you may run in to URL size limitations on browsers or servers; using it in a header provides some more space, using it as a POST parameter would work best.
这篇关于将 jwt 作为 GET 请求的查询参数放入 url 是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!