Java is everywhere

So if you'd store the jwt in a HttpOnly cookie and secure your api with CSRF tokens, you should be alright, right?

This is correct JWT does not encrypt the data in the token it only signs the data so if a token arrives at the server the server can be sure that it(the server) was the one that originally generated the token. So https/SSL has to be used to prevent someone from reading the token. Another issue is tokens don't have any mechanism to revoke them, so even if you know it has been compromised it will remain valid until expiry date.

Is it suppose to be encrypted it with a secret key? Which both front and backend knows it.

@@dummypg6129 Its not encrypted, it relies on the fact that the connection should be encrypted i.e TLS/SSL Https

​@@dummypg6129 Only the backend knows it. It decrypts it with the secret key and if it ends up with the same hashed result it knows the data is exactly the same AND the hash they sent also is correct. If a user gets the secret key then yes, all JWT's are compromised. The solution? Change the secret key. Done.

@@TZCoder I really wonder why nobody (training videos/articles) explicitly mentions that these tokens MUST be used along with https/SSL for it to be really secure. Or is it not the case ?

look up something called Refresh Tokens

because the library does that for you...

may be because generally header contains algorithm and here already he mentioned not to pass algo with header and pass a white list otherwise anyone can make algo to none and jwt is just a joke than nothing else

He might have overlooked, it should be private to sign when it's RSA

no he is basically saying that is a bug. he is showing how using rsa encryption with the public and private key pair can cause a problem. The JWT is signed using the private key and has to be verified using the public key. so even when it's the server verifying it needs to used the public key. he explained earlier @13:18 why this might be done (basically because you can share the public key with multiple servers but you wouldn't want to do that with a single private key). The problem with this is that some can take advantage of the fact they know the server is verifying with publicKey. they can just modify the payload and sign it again using the publicKey and claim that the algorithm is HS256; basically saying we are using a shared key, and guess what, we have the key it's the publicKey.

As far as I know, not, if you are using an security communication over TLS.

no one should steal the JWT just like no one should steal your cookies.

He meant 'session' instead of 'cookie'. Weird mistake but yeah

how do you access httpOnly cookie in dev tools?

@@ringoaikocascade In chrome dev tools ,filter XHR Request from Network tab if any of request sends cookie it will show up in Cookies tab.

@@imyounick so it's a manual work then. How do you get someone else's httponly cookie?

@@ringoaikocascade Same answer, manually is only way. Consider RDP hack

@@imyounick If I have access to someone else's credit card, or somehow let me use the card, and I use it to buy whatever I want, that doesn't mean credit card itself is not secure.

the accent very weird as well

@@CarlosEduardo-cq1wv but what he say is usefull for hackers i thinks this is not to secure its possible i think kind regards niek tuytel

The sound is fine to me, and his accent is not bad at all. I don't what the problem is. Are you guys just hating on him?

@@isynciswim7382 Yes they are , there's a stigma to Indian accent...as an Indian I know it.

im not a native english speaker but i understand him perfectly fine, also the content was great!