问题
I was going through the JWT auth. It looks pretty good. However I have a question that is the JWT authentication prone to Man in the Middle attack ? Can someone get this token while it is being sent. If so, then with the token and a fake request(obviously with a correct url) the data can be fetched ?
Is this even a valid scenario ?
Any views are appreciated
回答1:
JWT without https is prone to man in the middle attack, You should use it with https protocol to minimize the risk.
You can make it even more secure by adding IP address of client as a private claim to JWT token and validate that as well.
来源:https://stackoverflow.com/questions/49424639/jwt-token-man-in-middle-attack