Information Disclosure - JWT in Browser sessionStorage
- Risk:
Informational
- Type:
- Client Passive
- CWE:
- CWE-200
- Summary
JWT was stored in browser sessionStorage.
This is not unusual or necessarily unsafe - this informational alert has been raised to help you get a better understanding of what this app is doing. For more details see the Client tabs - this information was set directly in the browser and will therefore not necessarily appear in this form in any HTTP(S) messages.
- Solution
Store JWTs in sessionStorage instead of localStorage so that is cleared when the page session ends.
- Other info
- The following JWT was set: Key: key Header: {'alg': 'HS256', 'typ': 'JWT'} Payload: {'sub': '1234567890', 'name': 'John Doe', 'iat': 1516239022} Signature: d35db7e39ebbf34d76df8e7aefcd35db7e39ebbf34d76df8e7aefcd35db7e39ebbf34d76df8e7aefcd35db7e39ebbf Note that this alert will only be raised once for each URL + key.
Free security scan for your website