Skip to main content



Bearer tokens are susceptible to theft and what you can do about it

I have been recommending JWTs to control access to REST APIs. High time for some caveats! Here is number one: most Security Token Services (STS) issue bearer tokens.

Bearer tokens are like cash: whomever is carrying them can use them. They are unlike cash in that copying and hence double-spending is easy. So how do you protect against adversaries stealing tokens and using them maliciously? Here is the immediately actionable answer: only ever send bearer tokens over TLS. Unfortunately, this does not mitigate all threats. Let's see whether we can identify some of the remaining risks and what we can do about them.

As HSTS counters the threat of downgrade to HTTP and its deployment is mostly cheap, turning it on should be a reflex: enable HTTPS, turn on HSTS.

All of the above has made it pretty difficult for the attacker to steal the bearer token in transit. What about stealing it at connection end points? Clearly we need to take measures to prevent compromise of both API consumer and…

Latest Posts

In the (back)end, JWT is all that matters

Protect your REST APIs with JWT tokens

API gates and fences

Technology stack for a static web site