Understanding JWT and CSRF Tokens (2024)

FAQs

What is the difference between JWT and CSRF tokens? ›

Conclusion. To conclude, JWT and CSRF tokens serve critical yet different roles in securing web applications. JWTs facilitate secure information exchange for authentication and authorization, while CSRF tokens protect against unwanted actions on behalf of authenticated users.

JWTs by themselves do not prevent CSRF attacks. Here's why: - JWTs may be sent automatically by the browser if authentication cookies or local storage tokens are set. An attacker can leverage this to send the JWT without the user knowing.

It's probably good to keep a layered security approach and continue to use CSRF tokens.

JWT token is not encrypted, it's just base64UrlEncoded. So, don't put any sensitive information in payload. Meaning, if for some reason an access token is stolen, an attacker will be able to decode it and see information in payload.

Synchronizer Token Pattern

CSRF tokens should be generated on the server-side and they should be generated only once per user session or each request. Because the time range for an attacker to exploit the stolen tokens is minimal for per-request tokens, they are more secure than per-session tokens.

While storing CSRF tokens in a separate cookie can provide an additional layer of protection against CSRF attacks, it is important to consider the potential drawbacks. These include the risk of cookie theft, cookie manipulation, compatibility issues, and increased complexity in managing cookies.

JWT are a more secure and scalable alternative to CSRF tokens that can be used to authenticate and authorize users in API-centric applications. Unlike CSRF tokens, JWT are self-contained and encoded, which means they can be easily verified and decoded by the server without the need for a server-side session.

The Lax configuration is more user friendly, however still allows the possibility for CSRF attacks, since applications may implement sensitive actions using GET requests or may honour requests that use an unexpected request method (i.e. they were expecting POST but will still process a GET request).

With JWT, the biggest problem is there are no reliable ways to log out users. The logout is fully controlled by the client, the server side can do nothing about it. It can just expect the client will forget about the token, that's it. This is dangerous from a security perspective.

Is JWT outdated? ›

As of September 8, 2023, the JWT app type has been deprecated. Use Server-to-Server OAuth or OAuth apps to replace the functionality of all JWT apps in your account.

JWT is suitable for stateless applications, as it allows the application to authenticate users and authorize access to resources without maintaining a session state on the server. OAuth, on the other hand, maintains a session state on the server and uses a unique token to grant access to the user's resources.

Tokens can be easily revoked, enhancing security. JWT: Relies on cryptographic signatures for security. Once issued, JWTs are valid until they expire, which can be a security concern if not managed properly.

A Bearer token is for authentication to an API for example, a CSRF Token is for protecting against cross-side-request-forgery attacks.

A CSRF token is a secure random token (e.g., synchronizer token or challenge token) that is used to prevent CSRF attacks. The token needs to be unique per user session and should be of large random value to make it difficult to guess. A CSRF secure application assigns a unique CSRF token for every user session.

Storage: JWT; the authentication state is not stored anywhere on the server side rather they are saved on the client side, while on the cookie, the authentication is stored on the server side. the JWT is Stateless, while the cookies are Stateful.