Is there any security risk when TOKEN is added to HEADER and HTTPS is used to communicate?

in writing a WEB API, I now put TOKEN in the web request header HEADER and use HTTPS to communicate with the server.

will you be hijacked to TOKEN? A little worried about falsifying requests. Ask for advice ~ Thank you!

Html
Dec.13,2021

token is used to ensure the trustworthiness of the data source. As for token itself, the security does not fall within its responsibility.
for example, if the information is generated with jwt, the information stored in it is not encrypted. He only ensures that the information in it is correct. For example, {id:12345} I use this data to generate a token , this token is divided into three pieces of information. The first paragraph is the header Header . The second part is our data Payload , through base64 encryption, the third part is the encrypted signature, generated by Header and Payload as well as our private key.
when the client accesses the server with this token , I will verify the integrity of the whole data through our private key. If verified, it shows that this information is credible. When the information is tampered with, for example, someone gets token and changes the data to {id:56789} , but he does not have a private key, so he cannot generate a correct signature. When the server verifies token , we know that the data has been tampered with, and then perform the corresponding processing.
this is the function of token to ensure the credibility of the data. Make sure that this token is within its limits of authority, but not beyond its limits, such as the information of other users.
of course, you can add other measures according to your needs, such as not wanting others to know the data in token , then you can encrypt this data.
or beware that this token will be obtained by others, as a result of the user's loss. That needs to be ensured by adding other means, such as verifying the visiting ip, such as setting a shorter expiration time, such as the HTTPS you use, or adding more validation, and so on. Reduce the chance of being stolen by increasing the theft cost of a third party.
you can think of token as the bank's banknote detector, which is responsible for verifying that the counterfeit banknotes are all real money. As for whether the money is stolen or obtained by a normal exchange, it is not controlled by the banknote detector, it is managed by the police uncle.

refer to
what is JWT-- JSON WEB TOKEN
server side authentication artifact-- JWT (1)
from-being-hijacked-and-used-to-pose-as-the-original-user"" Rel= "nofollow noreferrer" > What protects a JWT from being hijacked and used to pose as the original user?
What if JWT is stolen?
ide-handling-of-jwt-tokens" rel= "nofollow noreferrer" > Best practices for server-side handling of JWT tokens

Previous: How does mysql query many-to-many relational tables?

Next: Mongodb script creates table structure

css mysql arrays josn react html typescript webpack npm sass R objective-c .net sql-server jquery python-3.x angularjs django angular excel regex iphone ajax linux xml pandas vba spring database wordpress string wpf xcode windows bash postgresql oracle multithreading eclipse list firebase algorithm macos forms image scala visual-studio azure bootstrap spring-boot react-native python-2.7 docker performance function winforms matlab powershell apache dataframe api sqlite numpy rest shell selenium flutter dart maven loops qt swing android-studio csv express file class tensorflow sorting codeigniter perl
© 2021 CodesHelper
Advertising Contact us About us
Menu