Skip to content

Sensitive Data: Exposed JWT Token¶

Identifier: exposed_jwt

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

JWTs should not contain sensitive information in their payload as they are only base64 encoded and can be easily decoded by anyone, potentially leading to data breaches and privacy violations.

How we test: We analyze JWT tokens found in requests and responses to detect if sensitive data such as passwords, personal information, or secrets are stored in JWT claims. We decode JWT payloads and check for common sensitive data patterns that should not be exposed in tokens.

Configuration¶

Example¶

Example configuration:

---
security_tests:
  exposed_jwt:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.