JWT
JWT Security Best Practices in 2026
JWT tokens are powerful but can be exploited if not properly secured. This guide covers essential security practices to protect your application from common JWT vulnerabilities.
Critical: Improper JWT implementation can lead to authentication bypass, privilege escalation, and data breaches. Follow these practices carefully.
1. Always Use Strong Signing Algorithms
Recommended Algorithms
- HS256 (HMAC with SHA-256) - Symmetric, fast, good for single-server
- RS256 (RSA with SHA-256) - Asymmetric, best for microservices
- ES256 (ECDSA with SHA-256) - Asymmetric, smaller signatures
❌ Never Use
- "none" algorithm - No signature verification (major vulnerability!)
- Weak algorithms - HS1, MD5-based
// BAD - Accepts "none" algorithmjwt.verify(token, secret);// GOOD - Explicitly require algorithmjwt.verify(token, secret, { algorithms: ['HS256'] });2. Use Cryptographically Strong Secrets
Minimum Requirements:
- At least 256 bits (32 bytes) of entropy
- Generated using cryptographically secure random number generator
- Unique per environment (different for dev/staging/production)
// Generate strong secret (Node.js)const crypto = require('crypto');const secret = crypto.randomBytes(32).toString('hex');console.log(secret); // Store in environment variable
Never use: "secret", "password", "mysecret", or any hardcoded strings as your JWT secret!
3. Set Appropriate Expiration Times
| Token Type | Recommended Lifetime | Reason |
|---|---|---|
| Access Token | 5-15 minutes | Minimize damage if stolen |
| API Token | 15 min - 1 hour | Balance between security and UX |
| Refresh Token | 7-30 days | Allow session continuity |
| Email Verification | 24 hours | Time-limited action |
// Set expirationconst token = jwt.sign(payload, secret, { expiresIn: '15m', // 15 minutes // or: expiresIn: 900 // 900 seconds});// Verify expiration is checkedjwt.verify(token, secret); // Automatically checks 'exp' claim4. Validate All Claims
Don't just verify the signature—validate all security-critical claims:
jwt.verify(token, secret, { algorithms: ['HS256'], // Required algorithm issuer: 'your-app.com', // Expected issuer audience: 'your-api.com', // Expected audience clockTolerance: 30, // Allow 30s clock skew}, (err, decoded) => { if (err) { // Invalid token - signature, expiration, or claims failed return res.status(403).json({ error: 'Invalid token' }); } // Additional validation if (decoded.role !== 'admin') { return res.status(403).json({ error: 'Insufficient permissions' }); } next();});5. Store Tokens Securely
| Storage Method | Security Level | Vulnerable To | Best For |
|---|---|---|---|
| localStorage | Medium | XSS attacks | SPAs with strict CSP |
| sessionStorage | Medium | XSS attacks | Single-tab sessions |
| httpOnly Cookie | High | CSRF (mitigated with sameSite) | Production apps |
| Memory (variable) | Highest | Lost on refresh | Max security + refresh tokens |
Recommended: httpOnly Cookies
// Backend sets cookieres.cookie('token', jwtToken, { httpOnly: true, // Not accessible via JavaScript secure: true, // HTTPS only sameSite: 'strict', // CSRF protection maxAge: 900000 // 15 minutes});6. Implement Token Revocation
JWTs are stateless by default, but you may need revocation for:
- User logout
- Account compromise
- Permission changes
- Password resets
Strategy 1: Token Blacklist
// Store revoked tokens in Redis (fast lookup)async function revokeToken(token) { const decoded = jwt.decode(token); const ttl = decoded.exp - Math.floor(Date.now() / 1000); await redis.setex(`revoked:${token}`, ttl, '1');}// Check on every requestasync function isTokenRevoked(token) { const revoked = await redis.get(`revoked:${token}`); return revoked === '1';}Strategy 2: Token Version
// Include version in tokenconst token = jwt.sign({ userId: user.id, tokenVersion: user.tokenVersion // Stored in database}, secret);// On verification, check versionconst decoded = jwt.verify(token, secret);const user = await User.findById(decoded.userId);if (decoded.tokenVersion !== user.tokenVersion) { throw new Error('Token revoked');}// To revoke all tokens, increment versionawait User.updateOne({ _id: userId }, { $inc: { tokenVersion: 1 } });7. Protect Against Common Attacks
XSS (Cross-Site Scripting)
- Use httpOnly cookies (can't be accessed by JavaScript)
- Implement Content Security Policy (CSP)
- Sanitize all user inputs
- Use frameworks with automatic XSS protection (React, Vue)
CSRF (Cross-Site Request Forgery)
- Use
sameSite: 'strict'or'lax'on cookies - Implement CSRF tokens for state-changing operations
- Verify
OriginandRefererheaders
Replay Attacks
- Use short token lifetimes
- Include timestamp (
iat) and check for old tokens - Implement nonce (unique ID) per token
8. Never Trust Client-Side Validation
Security Rule: Always verify JWT signatures on the server. Client-side JWT decoding is for display purposes only—attackers can modify client code.
// BAD - Client decides if user is adminconst decoded = jwt.decode(token); // No verification!if (decoded.role === 'admin') { showAdminPanel();}// GOOD - Server validates everythingapp.get('/admin', authenticateToken, checkRole('admin'), (req, res) => { // Token verified, role checked server-side res.json({ adminData });});9. Use HTTPS Only
Why: JWTs sent over HTTP can be intercepted by attackers (man-in-the-middle attacks).
- Always use HTTPS in production
- Set
secure: trueon cookies - Implement HSTS (HTTP Strict Transport Security)
- Use certificate pinning for mobile apps
10. Audit and Monitor
- Log all authentication failures
- Monitor for unusual token usage patterns
- Set up alerts for failed verifications
- Regularly rotate signing secrets
- Conduct security audits
jwt.verify(token, secret, (err, decoded) => { if (err) { logger.warn('JWT verification failed', { error: err.message, ip: req.ip, timestamp: new Date() }); return res.status(403).json({ error: 'Invalid token' }); } next();});Security Checklist
Try Our Tools
Test and debug your JWT implementation: