is it bad to pass jwt token as part of url?

prasanth picture prasanth · May 23, 2019 · Viewed 10.1k times · Source

Hi currently i have an angular application and java backend. in my angular component html i have some image such as profile photos. the resource that serves the image files is secured with spring security . so my quesiton is it bad to append json web tokens as part of an image url ? can it cause a security breach ? is it a bad practice ?

the following is how my angular code looks like from the chrome developer tool.

<div _ngcontent-c5="" class="avatar-circle bg-secondary text-brand-secondary" ng-reflect-klass="avatar-circle" ng-reflect-ng-class="bg-secondary,text-brand-second" style="background-image: url(&quot;http://localhost:8080/api/files/4eb81fa8-9c5d-4920-b0f5-c9239fb1cae7?access_token=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJnbG9iYWxhZG1pbkBsb2NhbGhvc3QiLCJhdXRoIjoiUk9MRV9HTE9CQUxfQURNSU4iLCJleHAiOjE1NjExOTkwNTh9.UFvdgZNxs_O1uTjtUh64ko3A47R2fxZxYFX0aXv2Jp_TkVrmlBT1mzN40JwclGk3m0sCZONKbnVhgXXKy69DfQ&quot;);">
  <!--bindings={
  "ng-reflect-ng-if": "false"
}-->
</div>

any help is appreciated . i would love to pass the access_token as part of the http get request header but i couldnt find a proper code anywhere. any help is appreciated.

Answer

cassiomolin picture cassiomolin · May 23, 2019

Depending on the image, you may want to make it public available or consider a different way to send to token to the server (a cookie may help).

Can it cause a security breach? Is it a bad practice?

As mentioned in my previous answer, JWT tokens are URL-safe when it comes to their syntax. Here is a quote from the RFC 7519:

A JWT is represented as a sequence of URL-safe parts separated by period (.) characters. Each part contains a base64url-encoded value. [...]

However, when using JWT as bearer tokens, it's advisable to avoid sending them in the URL. See the following quote from the RFC 6750:

Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example, as query string parameters).

Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken.

Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.