JSON Web Token

Bridgecrew Policy ID: BC_GIT_9
Severity: LOW

JSON Web Token

Description

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

Once issued, access tokens and ID tokens cannot be revoked in the same way as cookies with session IDs for server-side sessions. As a result, tokens should be issued for relatively short periods, and then refreshed periodically if the user remains active.

Fix - Buildtime

Multiple Services

Step 1: Reduce duration.
The most common solution is to reduce the duration of the JWT and revoke the refresh token so that the user can’t generate a new JWT.

Step 2: Clean the git history.
Go under the settings section of your GitHub project and chose the change visibility button at the bottom.

Step 3: Check your application access logs to ensure the key was not utilized during the compromised period.