FE Interview Hub
categories.security Intermediate

JWT Best Practices and Security Considerations

AI Practice

Explain JWT structure and key security considerations.

JWT Structure

Header.Payload.Signature — three Base64URL-encoded parts separated by dots.

Security Considerations

1. Use Strong Algorithms

Use RS256 (asymmetric) or HS256 (symmetric). Never allow alg: none.

2. Set Reasonable Expiration

Short-lived Access Tokens (15 minutes) combined with Refresh Tokens for extended sessions.

3. Storage Location

  • HttpOnly Cookie: Prevents XSS theft, but needs CSRF protection.
  • In-memory variable: Prevents persistent theft, but lost on page refresh.
  • Avoid localStorage: Easily read by XSS.

4. Token Revocation

JWT is stateless by nature; direct revocation is not built-in. Solutions: blacklist in Redis or short TTL.

5. Validate All Claims

Always validate exp (expiration), iss (issuer), and aud (audience).

✦ AI Mock Interview

Type your answer and get instant AI feedback

Sign in to use AI scoring

← Previous

CSRF Cross-Site Request Forgery and Defense

Next →

Password Hashing Best Practices: bcrypt vs Argon2

Copyright © 2026 Wood All Rights Reserved · FE Interview Hub

GitHubAdmin