Evaluate Geo JWT usage against OWASP checklist
Suggested via the Geo security review: https://gitlab.com/gitlab-org/gitlab-ee/issues/3865
https://www.google.com/url?q=https://www.owasp.org/index.php/JSON_Web_Token_(JWT)_Cheat_Sheet_for_Java includes four things to check JWT implementations against.
- We are not affected as we always specify and verify an algorithm explicitly
- We don't include any direct sidejacking protection that I'm aware of. Is a short expiration a reasonable mitigation?
- Are the token contents cleartext? Is anything sensitive in them?
- We are not affected as JWTs never make it to a client browser
Leaving confidential for now - we can make it public once we've got "not affected" for all four items.
/cc @kathyw
Edited by Nick Thomas