Is JWT necessary over HTTPS communication?
I'm developing a MEAN stack application, and I'm currently setting up an account system. I've seen several tutorials about Authentication, all using JWT.
I am wondering if, JWT could be used as way to secure communication transport over non-secured connection like HTTP?
I've set up HTTPS to communicate from my Angular 4 front-end to my NodeJS + Express back-end, and thus, wondering if JWT are necessary to secure my communications?
JWT should not be confused with encryption. From jwt.io:
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
The JWT is signed with public/private key pairs so the sender can be verified, and verified that the payload has not been modified. However, the JSON Web Token is in clear text.
var token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ";
var payload = token.split('.')[1];
console.log('Payload: '+atob(payload))Below is a figure from jwt.io showing the authentication flow when using JWT.
You need SSL/HTTPS to encrypt the communication. Without SSL/HTTPS attackers can sniff the network traffic and obtain the JWT, hence your application is vulnerable to man in the middle attacks.
- How to add Title in video by ffmpeg on Node JS
- How can I pass custom data to Stripe webhook?
- Mongoose Activity model with dynamic reference
- What approach to take when making a webpage with contact form and using parcel.js 2 bundler
- Client request fails with 502 after 2 minutes
- Mongoose Unique index not working!
- Error : create-react-app Aborting installation
- adding .css file to ejs
- Error: Accessing non-existent property. Module exports in circular dependency
- Iron.seal does not work when user log in
- Meteor GoogleMaps.load() not working on iOS with Iron
- Npm package whatsapp-web.js broke
- error column cannot be null, trying to upload file into sql
- How to encrypt decrypt with Node.js crypto module?
- Deleting `package-lock.json` to Resolve Conflicts quickly
- Time difference function giving negative value
- use helper of handlebars-express in view
- Why my form validation while logging in is not working?
- Get interaction's reponse message object discord.js
- PHP / Apache / Node / Puppeteer - Error: Failed to launch the browser process
- Run of a next js app stuck, npm run dev doesn't work
- how to rate limit next.js server actions?
- AppwriteException: User (role: guest) missing scope (account), not able to get account after creating a session
- Fixing npm path in Windows 8 and 10
- Property 'id' does not exist on type 'User' with Passport and Typescript
- MongoDB .deleteOne not working in Node.js
- Webpack for back-end?
- Open a TCP/IP connection via socket with a label printer
- Why does "npm install" rewrite package-lock.json?
- permission problem with opennms running a nodejs script in notification