将jwt作为GET请求的查询参数放入url是否安全？ [英] Is it safe to put a jwt into the url as a query parameter of a GET request?

问题描述

将jwt（json web令牌）作为GET请求的查询参数放入url是否安全？

Is it safe to put a jwt (json web token) into the url as a query parameter of a GET request?

推荐答案

在以下情况下可以安全：

It can be safe under the following circumstances:

1. JWT仅限一次性使用


2. jti 和 exp 代币中存在声明


3. 接收器使用 jti 和 exp

1. the JWT is one-time time usage only
2. the jti and exp claims are present in the token
3. the receiver properly implements replay protection using jti and exp

$ b正确实现重播保护
$ b

但是如果它被用作可以重复使用的令牌，例如针对API然后将其作为查询参数提供是不太优选的，因为它可能最终出现在日志和系统进程信息中，可供有权访问服务器或客户端系统的其他人使用。在这种情况下最好将它作为标题或POST参数的一部分呈现。

but in case it is used as a token that can repeatedly be used e.g. against an API then supplying it as a query parameter is less preferred since it may end up in logs and system process information, available to others that have access to the server or client system. In that case would be better to present it as part of a header or a POST parameter.

除此之外，通过在查询参数中使用它，您可以运行到URL浏览器或服务器的大小限制;在标题中使用它可以提供更多空间，使用它作为POST参数最好。

Besides that, by using it in the query parameters you may run in to URL size limitations on browsers or servers; using it in a header provides some more space, using it as a POST paramter would work best.

这篇关于将jwt作为GET请求的查询参数放入url是否安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！