jwt 储存
TL; 博士 (TL; DR)
There’re 2 major ways to store the JWT in the frontend.
在前端存储JWT有2种主要方法。
A: In the local storage and send it via a custom header.
答:在本地存储中 ,并通过自定义标头发送。
B: In a secure httpOnly cookie.
B:在安全的httpOnly cookie中 。
For method A, it’s CSRF-safe but is vulnerable to XSS. For method B, it’s XSS-safe but is vulnerable to CSRF.
对于方法A,它是CSRF安全的,但容易受到XSS的攻击。 对于方法B,它是XSS安全的,但容易受到CSRF的攻击。
Luc Engelen’s opinion (also mine): CSRF is easier to deal with but the amount of work to fight XSS is proportional to the size of the frontend. Hence the method B is preferable.
Luc Engelen的观点(也是我的观点):CSRF较容易处理,但是对抗XSS的工作量与前端的大小成正比。 因此,方法B是优选的。
序言:什么是JSON Web令牌? (Prelude: what’s a JSON Web Token?)
Here’s an introduction.
这是介绍 。
JWT, from a cryptography perspective, it only ensures integrity. So the token itself standalone is not a good approach to implement an authentication flow — anyone who got the token can impersonate you!
从密码学的角度来看,JWT仅确保完整性。 因此,单独使用令牌本身并不是实现身份验证流程的好方法-获得令牌的任何人都可以冒充您!
But since it’s stateless, which means the app owners can cut the budget of the backend servers, it’s still very popular in this era.
但是由于它是无状态的,这意味着应用程序所有者可以削减后端服务器的预算,因此它在这个时代仍然很受欢迎。
So the baseline of using JWT is you must ensure the whole internet traffic is encrypted, typicall