By: Saad Abbasi

Protecting endpoint in Node.js using JWT



  • Technical Lead at Incubation Center (DUET)
  • Full Stack JavaScript Developer
  • Freelance Developer (JS/IoT)
  • 1.5+ years in tech industry
  • Security Enthusiast
  • ...



What problem we want to solve?

Thats simply how server NOT works

Session IDs.

  • Uses Cookies/ LocalStorage

  • No Validation on Server

  • Vulnerable to XSS/ MITM

Auth Guards.

  • Client side JS
  • Uses LocalStorage
  • Vulnerable to XSS/ Rev Engg

JSON Web Token (JWT)

"JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties."



"Formally request or demand; that one owns something."

- Google


Non-repudiation is the assurance that someone cannot deny somthing.



  • All the basic stuff to a web server needs

  • Encrypted the passwords

  • Implemented Authentication Model

Before sending "200 OK", Sign a JWT.

Options JWT provides

Algorithm Support

... and Cookify it.

const token = ...;
res.cookie(token, {
    secure: true, // works only over TLS (HTTPS).
    httpOnly: true // JS is unable to touch the cookie.

Wrapping Up.

  • Use async Implementation of JWT
  • Use RS256 or higher
  • Use different keys for TLS and JWTs
  • Use keys generated with open-ssl in production
  • Use same expiry for cookies and JWTs
  • Use a middle-ware to check and handle tokens
  • Use 2048 bit or higher algorithms

That's It, Thanks.