JWT令牌-中间攻击者 [英] JWT token - Man in middle attack

查看:62
本文介绍了JWT令牌-中间攻击者的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在通过JWT身份验证.看起来不错.但是我有一个问题,即JWT身份验证是否容易受到中间人攻击"的影响?有人可以在发送令牌时获取它.如果是这样,则可以使用令牌和伪造的请求(显然具有正确的url)来获取数据?

I was going through the JWT auth. It looks pretty good. However I have a question that is the JWT authentication prone to Man in the Middle attack ? Can someone get this token while it is being sent. If so, then with the token and a fake request(obviously with a correct url) the data can be fetched ?

这甚至是有效的情况吗?

Is this even a valid scenario ?

任何观点都值得赞赏

推荐答案

不使用https的JWT在中间攻击中很容易受到攻击,您应该将其与https协议一起使用,以将风险降到最低.

JWT without https is prone to man in the middle attack, You should use it with https protocol to minimize the risk.

通过将客户端的IP地址作为私有声明添加到JWT令牌并进行验证,可以使其更加安全.

You can make it even more secure by adding IP address of client as a private claim to JWT token and validate that as well.

这篇关于JWT令牌-中间攻击者的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆