search

shieldfy / API-Security-Checklist

Checklist of the most important security countermeasures when designing, testing, and releasing your API
MIT License
22.21k stars 2.57k forks source link

Add http headers size limit problem #166

Closed magmax closed 1 year ago

magmax commented 1 year ago

WT adds a header and a signature (usually the same one, size constant for both), and encodes data in base64, what requires around 4/3 the original data size.

Including data that grows up, such as a list of role descriptions that can be added to the user, it is easy to create a big JWT.

Problems:

This big JWT is going to be sent on every communication, generating larger messages and consuming more network resources.
Every web server has a header size limit that is between 4k and 48k. Any header beyond that will be rejected, generating a hard to debug selective DoS problem.

Added spanish translation as well.

Maikuolan commented 1 year ago

Merged. Thanks for the contribution. :+1: 😊