https://bugzilla.suse.com/show_bug.cgi?id=1219688 https://bugzilla.suse.com/show_bug.cgi?id=1219688#c6 --- Comment #6 from Imobach Gonzalez Sosa <igonzalezsosa@suse.com> --- (In reply to Paolo Perego from comment #5) Hi Paolo,

Hi everybody. Just some random inputs for JWT. Please make sure to sign or encrypt the token with JWT specific facilities, transferring it only on HTTPS and if you will store it in a cookie to set it as HttpOnly and Secure.

OK, noted.

There is also a Owasp provided cheatsheet for JWT tokens you can find here: https://cheatsheetseries.owasp.org/cheatsheets/ JSON_Web_Token_for_Java_Cheat_Sheet.html

Thanks! We will have a look.

Another point of attention is for digital cerficate. Please make sure to let the client validate the certificate when doing HTTPS calls. However I didn't understand the scenario... both client and server will run on the same host, correct?

Which is the right way to validate the certificate? Allowing the user to check the fingerprint? The client and the server might run on different machines. You can install the system locally (using a browser that runs on the same machine and connects to "localhost") or remotely using your browser. Following Cockpit's approach, when connecting to localhost, we do not see the need to use HTTPS. But when installing remotely, it is mandatory. Does it make sense? Regards, Imo -- You are receiving this mail because: You are on the CC list for the bug.