JWT令牌-中间攻击者 [英] JWT token - Man in middle attack
问题描述
我正在通过JWT身份验证.看起来不错.但是我有一个问题,即JWT身份验证是否容易受到中间人攻击"的影响?有人可以在发送令牌时获取它.如果是这样,则可以使用令牌和伪造的请求(显然具有正确的url)来获取数据?
I was going through the JWT auth. It looks pretty good. However I have a question that is the JWT authentication prone to Man in the Middle attack ? Can someone get this token while it is being sent. If so, then with the token and a fake request(obviously with a correct url) the data can be fetched ?
这甚至是有效的情况吗?
Is this even a valid scenario ?
任何观点都值得赞赏
推荐答案
不使用https的JWT在中间攻击中很容易受到攻击,您应该将其与https协议一起使用,以将风险降到最低.
JWT without https is prone to man in the middle attack, You should use it with https protocol to minimize the risk.
通过将客户端的IP地址作为私有声明添加到JWT令牌并进行验证,可以使其更加安全.
You can make it even more secure by adding IP address of client as a private claim to JWT token and validate that as well.
这篇关于JWT令牌-中间攻击者的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!