It can be safe under the following circumstances:

 1. the JWT is one-time time usage only
 2. the `jti` and `exp` claims are present in the token
 3. the receiver properly implements replay protection using `jti` and `exp`

but in case it is used as a token that can repeatedly be used e.g. against an API then supplying it as a query parameter is less preferred since it may end up in logs and system process information, available to others that have access to the server or client system. In that case would be better to present it as part of a header or a POST parameter.

Besides that, by using it in the query parameters you may run in to URL size limitations on browsers or servers; using it in a header provides some more space, using it as a POST parameter would work best.


&gt; Is it safe to put a jwt (json web token) into the url as a query parameter of a GET request?

Yes, insofar that a JSON Web Token (JWT) is encoded in a way that it is transparent with the encoding of a query parameter in an URL:

**A JWT is URL-encoding-safe**. There will be no data-loss when used in-place; no additional encoding is required; it is even URL encoding safe inherently, applying url-encoding (percentage-encoding) on the JWT multiple times will not destroy it.

This safety is limited:

There can be a data-leak when used in-place if the URL itself is part of such a data-leak. By how URLs are commonly in use, you should treat any JWT in an URL query parameter as-if the data-leak already happened and therefore prepared the JWT for it already (e.g. prevent replay attacks).

And it will be at best as safe as the transport of the URL information is, and never more safe.

And if the transport of the URL information is not safe, everything in the URL can never be more safe either, which includes the JWT when used as a GET parameter.

---

Apart from using it in an URL (which looks to me as a mechanism of transport), you may want to consider additional data-retention, protocol and even your own systems properties, including those of the JWT in question itself.

For all these it depends.

For some of those considerations, please see [the other answer](https://stackoverflow.com/a/32725284/367456) and [JSON Web Token (JWT) - RFC-7519](https://datatracker.ietf.org/doc/html/rfc7519) incl. the referenced updates there.

I want to remove a key-value pair from a dictionary like in the example.

    var dict: Dictionary&lt;String,String&gt; = [:]
    //Assuming dictionary is added some data.
    var willRemoveKey = &quot;SomeKey&quot;
    dict.removePair(willRemoveKey) //that&#39;s what I need




How to remove a key-value pair from swift dictionary?

How Can I extract mp4 from http live streaming m3u8 file? I Tried this command below:


    ffmpeg -i {input file} -f rawvideo -bsf h264_mp4toannexb -vcodec copy out.mp4

I took this error:

&gt;[NULL @ 0000000002f07060] Packet header is not contained in global extradata, corrupted stream or invalid MP4/AVCC bitstream Failed to open bitstream filter h264_mp4toannexb for stream 0 with codec copy: I




FFMPEG mp4 from http live streaming m3u8 file?

Is it safe to put a jwt (json web token) into the url as a query parameter of a GET request?

Is it safe to put a jwt into the url as a query parameter of a GET request?

<p>Is it safe to put a jwt (json web token) into the url as a query parameter of a GET request?</p>


I read this on the React tutorial. What does this mean? 

&gt; React is safe. We are not generating HTML strings so XSS protection is the default.

How do XSS attacks work if React is safe? How is this safety achieved?

What does it mean when they say React is XSS protected?

For the purpose of securing REST API using JWT, according to some materials (like this [guide](https://auth0.com/blog/2016/01/04/secure-your-react-and-redux-app-with-jwt-authentication/) and this [question](https://stackoverflow.com/questions/27067251/where-to-store-jwt-in-browser-how-to-protect-against-csrf)), the JWT can be stored in either **localStorage** or **Cookies**. Based on my understanding:

 - **localStorage** is subjected to XSS and generally it&#39;s not recommended to store any sensitive information in it.
 - With **Cookies** we can apply the flag &quot;httpOnly&quot; which mitigates the risk of XSS. However if we are to read the JWT from Cookies on backend, we then are subjected to CSRF.

So based on the above premise - it will be best if we store JWT in Cookies. On every request to server, the JWT will be read from Cookies and added in the Authorization header using Bearer scheme. The server can then verify the JWT in the request header (as opposed to reading it from the cookies).

Is my understanding correct? If so, does the above approach have any security concern? Or actually we can just get away with using localStorage in the first place?

Should JWT be stored in localStorage or cookie?

Sometimes and especially very often when developing a web-application Chrome doesn&#39;t allow you to visit certain sites and throwing certificate/HSTS error. I&#39;ve found that typing `badidea` (more recently `thisisunsafe`) in Chrome window will tell Chrome to skip certificate validation.

Does this solution only work for a specific site, or will Chrome ignore certificate/HSTS errors for all sites after I&#39;ve used this keyword?

When you use &#39;badidea&#39; or &#39;thisisunsafe&#39; to bypass a Chrome certificate/HSTS error, does it only apply for the current site?

Firebase provides database back-end so that developers can focus on the client side code.

So if someone takes my firebase uri (for example, `https://firebaseinstance.firebaseio.com`) then develop on it **locally**.

Then, would they be able to create another app off my Firebase instance, signup and authenticate themselves to read all data of my Firebase app?

How to restrict Firebase data modification?

I have a problem with the `--disable-web-security` flag. It is not working in Chrome 48 and Chrome 49 beta on Windows.

I&#39;ve tried killing all of the instances, reboot and run Chrome with the flag first of all, tried different machines as well. In the beta I can see the warning popup (&quot;You are using unsupported flag..&quot;), but CORS is still being enforced. Public version seems to ignore the flag completely. 

There seems to be no news or people reports about that, so it might be a local issue. 
Will be grateful for help or any related info.

Disable-web-security in Chrome 48+

I am moving from Volley to Retrofit currently version 2.0.

How to print the the full json response code ?

**includes**:

    compile &#39;com.squareup.retrofit:converter-gson:2.0.0-beta2&#39;
    compile &#39;com.squareup.retrofit:retrofit:2.0.0-beta2&#39;


**RestClient**:

    OkHttpClient client = new OkHttpClient();
            client.interceptors().add(new Interceptor() {
                @Override
                public Response intercept(Interceptor.Chain chain) throws IOException {
                    Response response = chain.proceed(chain.request());                
                    return response;
                }
            });
    
    
            Gson gson = new GsonBuilder()
                    .setDateFormat(&quot;yyyy&#39;-&#39;MM&#39;-&#39;dd&#39;T&#39;HH&#39;:&#39;mm&#39;:&#39;ss&#39;.&#39;SSS&#39;Z&#39;&quot;)
                    .create();
    
    
            Retrofit retrofit = new Retrofit.Builder()
                    .baseUrl(ROOT)
                    .addConverterFactory(GsonConverterFactory.create(gson))
                    .client(client)
                    .build();
    
            REST_CLIENT = retrofit.create(APIService.class);


**APIService**:
 

       @GET(&quot;my/json&quot;)
        Call&lt;Model&gt; getFeed();


**In Activity - Calling API**:

    Call&lt;Model&gt; call = RestClient.get().getFeed();
    call.enqueue(new Callback&lt;Model&gt;() {
        @Override
        public void onResponse(Response&lt;Model&gt; response, Retrofit retrofit) {

            Log.w(&quot;2.0 getFeed &gt; response.raw() =&gt; &quot;, response.raw().toString());//DONT WORK
            Log.w(&quot;2.0 getFeed &gt; retrofit =&gt; &quot;, retrofit.toString());//DONT WORK
            Log.w(&quot;2.0 getFeed &gt; body =&gt; &quot;, response.body().toString()); //DONT WORK
            Log.w(&quot;2.0 getFeed &gt; getStatus =&gt; &quot;, response.body().getStatus());

        }

        @Override
        public void onFailure(Throwable t) {
            t.printStackTrace();
            Log.e(&quot;2.0 getFeed &gt; onFailure =&gt; &quot;, t.toString());
        }
    });





retrofit 2.0 how to print the full json response?

I want to send a `PING` to Redis to check if the connection is working, now I could just install `redis-cli`, but I don&#39;t want to and `curl` is already there. So how can I abuse `curl` to do that? Basically I need to turn off what&#39;s send here:

    &gt; GET / HTTP/1.1
    &gt; User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
    &gt; Host: localhost:6379
    &gt; Accept: */*
    &gt; 
    -ERR wrong number of arguments for &#39;get&#39; command
    -ERR unknown command &#39;User-Agent:&#39;
    -ERR unknown command &#39;Host:&#39;
    -ERR unknown command &#39;Accept:&#39;

I was able to get rid of the `User-Agent` altogether by adding `-A &quot;&quot;`, but I can&#39;t find anything else for the rest. Any idea how I can do that?

Abuse cURL to communicate with Redis

I&#39;m trying to use Google Fonts and I&#39;ve never had any problems, but now when I try to add the CSS file on my header I get this error on the console: 

Refused to load the stylesheet `&#39;http://fonts.googleapis.com/css?family=Whatever&#39;` because it violates the following Content Security Policy directive: `&quot;style-src &#39;self&#39; &#39;unsafe-inline&#39;&quot;`.

Google Fonts violates Content Security Policy

I&#39;m new to Angular 2 and HTTP Observables. I have a component which calls an HTTP service and returns an Observable. Then I subscribe to that Observable and it works fine.

Now, I want, in that component, after calling the first HTTP service, if the call was successful, to call another HTTP service and return that Observable. So, if the first call is not successful the component returns that Observable, opposite it returns Observable of the second call.

What is the best way to chain HTTP calls? Is there an elegant way, for example like [monads][1]?

  [1]: https://en.wikipedia.org/wiki/Monad_(functional_programming)




How can I chain HTTP calls in Angular 2?

I am using IBM Bluemix to make a web service for a school project.

My project needs to request a JSON from an API, so I can use the data it provides. I use the `http get` method for a data set, and I am not sure if it is working properly.

When I run my code, I get the message:
&gt; Error: Protocol &quot;https:&quot; not supported. Expected &quot;http:&quot;

What is causing it and how can I solve it?

Here is my `.js` file:


    // Hello.
    //
    // This is JSHint, a tool that helps to detect errors and potential
    // problems in your JavaScript code.
    //
    // To start, simply enter some JavaScript anywhere on this page. Your
    // report will appear on the right side.
    //
    // Additionally, you can toggle specific options in the Configure
    // menu.

    function main() {
      return &#39;Hello, World!&#39;;
    }

    main();/*eslint-env node*/

    //------------------------------------------------------------------------------
    // node.js starter application for Bluemix
    //------------------------------------------------------------------------------

    // HTTP request - duas alternativas
    var http = require(&#39;http&#39;);
    var request = require(&#39;request&#39;);

    // cfenv provides access to your Cloud Foundry environment
    // for more info, see: https://www.npmjs.com/package/cfenv
    var cfenv = require(&#39;cfenv&#39;);

    //chama o express, que abre o servidor
    var express = require(&#39;express&#39;);

    // create a new express server 
    var app = express();

    // serve the files out of ./public as our main files
    app.use(express.static(__dirname + &#39;/public&#39;));

    // get the app environment from Cloud Foundry
    var appEnv = cfenv.getAppEnv();

    // start server on the specified port and binding host
    app.listen(appEnv.port, &#39;0.0.0.0&#39;, function() {
        // print a message when the server starts listening
        console.log(&quot;server starting on &quot; + appEnv.url);
    });


    app.get(&#39;/home1&#39;, function (req,res) {
        http.get(&#39;http://developers.agenciaideias.com.br/cotacoes/json&#39;, function (res2) {
            var body = &#39;&#39;;
            res2.on(&#39;data&#39;, function (chunk) {
                body += chunk;
            });
            res2.on(&#39;end&#39;, function () {
                var json = JSON.parse(body);
                var CotacaoDolar = json[&quot;dolar&quot;][&quot;cotacao&quot;];
                var VariacaoDolar = json[&quot;dolar&quot;][&quot;variacao&quot;];
                var CotacaoEuro = json[&quot;euro&quot;][&quot;cotacao&quot;];
                var VariacaoEuro = json[&quot;euro&quot;][&quot;variacao&quot;];
                var Atualizacao = json[&quot;atualizacao&quot;];
    			
    			obj=req.query; 
    			
    			DolarUsuario=obj[&#39;dolar&#39;];
    			RealUsuario=Number(obj[&#39;dolar&#39;])*CotacaoDolar;
    			
    			EuroUsuario=obj[&#39;euro&#39;];
    			RealUsuario2=Number(obj[&#39;euro&#39;])*CotacaoEuro;
    			
    			Oi=1*VariacaoDolar;
    			Oi2=1*VariacaoEuro;
    			
    			if (VariacaoDolar&lt;0) {
    			recomend= &quot;Recomenda-se, portanto, comprar d&#243;lares.&quot;;
    			}
    			
    			else if (VariacaoDolar=0){
    				recomend=&quot;&quot;;
    			}
    			
    			else {
    				recomend=&quot;Recomenda-se, portanto, vender d&#243;lares.&quot;;
    				  }
    				  
    			if (VariacaoEuro&lt;0) {
    			recomend2= &quot;Recomenda-se, portanto, comprar euros.&quot;;
    			}
    			
    			else if (VariacaoEuro=0){
    				recomend2=&quot;&quot;;
    			}
    			else {
    				recomend2=&quot;Recomenda-se,portanto, vender euros.&quot;;
    				  }	  
    				  
    			res.render(&#39;cotacao_response.jade&#39;, {
                     		 &#39;CotacaoDolar&#39;:CotacaoDolar,
    						&#39;VariacaoDolar&#39;:VariacaoDolar,
    						&#39;Atualizacao&#39;:Atualizacao,
    						&#39;RealUsuario&#39;:RealUsuario,
    						&#39;DolarUsuario&#39;:DolarUsuario,
    						&#39;CotacaoEuro&#39;:CotacaoEuro,
    						&#39;VariacaoEuro&#39;:VariacaoEuro,
    						&#39;RealUsuario2&#39;:RealUsuario2,
    						&#39;recomend&#39;:recomend,
    						&#39;recomend2&#39;:recomend2,
    						&#39;Oi&#39;:Oi,
    						&#39;Oi2&#39;:Oi2
                });
    			
    		app.get(&#39;/home2&#39;, function (req,res) {
        http.get(&#39;https://www.quandl.com/api/v3/datasets/BCB/432.json?api_key=d1HxqKq2esLRKDmZSHR2&#39;, function (res3) {
            var body = &#39;&#39;;
            res3.on(&#39;data&#39;, function (chunk) {
                body += chunk;
            });
    		res3.on(&#39;end&#39;, function () {
                var x=json.dataset.data[0][1];
          console.log(&quot;My JSON is &quot;+x); });
          
        });
        });
            });
        });
    });


Here is a print of the error screen I get: [![enter image description here][1]][1]


  [1]: http://i.stack.imgur.com/mYhwC.png

Node js Error: Protocol &quot;https:&quot; not supported. Expected &quot;http:&quot;

I am getting a *Module not found error* when using [`jwt`][1]. Here is how I declared it:

    def create_jwt_token():
        payload = {
            &quot;iat&quot;: int(time.time())
        }

        shared_key = REST_API_TOKEN
        payload[&#39;email&#39;] = EMAIL
        payload[&#39;password&#39;] = PASSWORD

        jwt_string = jwt.encode(payload, shared_key)
        encoded_jwt = urllib.quote_plus(jwt_string)  # URL encode the JWT string

        return encoded_jwt

The error message says encode is not found in `jwt`. I did a tab on `jwt` and found that the encode is a method inside `jwt.JWT`. I tried changing it to

    jwt_string = jwt.JWT.encode(payload, shared_key)

and it gives this error:

&gt; unbound method encode() must be called with JWT instance as first argument (got dict instance instead)

What am I doing it wrong? Here is the version information of my Python environment:

&gt; 2.7.10 |Anaconda 2.3.0 (64-bit)| (default, May 28 2015, 16:44:52) [MSC v.1500 64 bit (AMD64)]

  [1]: https://pypi.org/project/jwt/



JWT: &#39;module&#39; object has no attribute &#39;encode&#39;

I&#39;m wondering what is the best appropriate `Authorization` HTTP header type for [JWT tokens](http://jwt.io/).

One of the probably most popular type is `Basic`. For instance:

    Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

It handle two parameters such as a login and a password. So it is not relevant for JWT tokens.

Also, I heard about _Bearer_ type, for instance:

    Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

However, I don&#39;t know its meaning. Is it related to bears?

Is there a particular way to use JWT tokens in the HTTP `Authorization` header? Should we use `Bearer`, or should we simplify and just use:

    Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Thanks.

**Edit:**

Or maybe, just a `JWT` HTTP header:

    JWT: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Best HTTP Authorization header type for JWT

There is a lot of information on the web about using JWT (`Json Web Token`) for authentication. But I still didn&#39;t find a clear explanation of what the flow should be when using JWT tokens for *a single sign-on solution in a multiple domains environment*.

I work for a company which has a lot of sites on different hosts. Let&#39;s use **example1.com** and **example2.com**. We need a single sign-on solution, which means if a user authenticates on **example1.com**, we want him to also be authenticated on **example2.com**, automatically.

Using the [OpenId Connect][1] flow, I understand that the user who wants to authenticate on **example1.com** will first be redirected to the **authentication server** (or `OP` : &quot;OpenId Provider&quot;). The user authenticates on that server which then redirects him back to the original **example1.com** site with a signed JWT token. (I understand there is another flow which returns an *intermediate token* that itself can be exchanged for the real JWT token later on, but I don&#39;t think this is required for us)...

So now the user is back on **example1.com** and is authenticated! He can make requests, passing the JWT token in a `Authentication` header and the server is able to verify the signed JWT and therefore is able to identify the user. Nice!

***First question :***

How should the JWT token be stored on the client? There is, again, a lot of information about this, and people seem to agree that using `Web Storage` is the way to go rather than good old `cookies`. We want the JWT to be persistent between browser restarts so let&#39;s use `Local Storage`, not `Session Storage`...

Now the user can restart his browser and he will still be authenticated on **example1.com**, as long as the JWT token is not expired!

Also, if **example1.com** needs to make an Ajax request to another of our domains, I understand configuring [CORS][2] would allow that. But our main use case is not cross-domain requests, it&#39;s having a *single sign-on solution*!

***Therefore, the main question :*** 

Now, what should the flow be, if the user goes to **example2.com** and we want him to be authenticated, using the JWT token he already has? `Local Storage` doesn&#39;t seem to allow cross-domain access so at this point the browser can&#39;t read the JWT token to make requests to **example2.com**! 

Should :

 - The user be redirected to the **authentication server** again? When the user authenticated for **example1.com**, the
   **authentication server** may have set a cookie on the user so this new authentication request for **example2.com** could use that cookie to see that the user is already authenticated and immediately redirects him back to
   **example2.com** with the same JWT token?
 - Or can the browser, on **example2.com**, access the JWT token without having to go to the **authentication server** again? I see there are [cross-storage solutions][3], but are those widely used? Are they the suggested solution to a cross domain SSO environment? 

We don&#39;t want anything fancy, we would be happy with the mostly used solution!

  [1]: http://openid.net/connect/
  [2]: https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
  [3]: https://github.com/zendesk/cross-storage

Single sign-on flow using JWT for cross domain authentication

I have created JWT based Authentication in my Web API application.
I am not able to figure out the difference between

 1. Basic Token
 2. Bearer Token

Can someone please help me?

Web API Authentication Basic vs Bearer

I am trying to implement stateless authentication with JWT for my RESTful APIs.

AFAIK, JWT is basically an encrypted string passed as HTTP headers during a REST call.

But what if there&#39;s an eavesdropper who see the request and *steals the token*?  Then he will be able to fake request with my identity?

Actually, this concern applies to all *token-based authentication*.

How to prevent that? A secure channel like HTTPS?

Content Type	Original Author	Original Content on Stackoverflow
Question	allen kim	View Question on Stackoverflow
Solution 1 - Security	Hans Z.	View Answer on Stackoverflow
Solution 2 - Security	hakre	View Answer on Stackoverflow

Is it safe to put a jwt into the url as a query parameter of a GET request?

Security Problem Overview

Security Solutions

Solution 1 - Security

Solution 2 - Security

FFMPEG mp4 from http live streaming m3u8 file?

How to remove a key-value pair from swift dictionary?

Attributions