FAQ-001063 - JWT and Token Security / JWT Documentation and Security Review

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How should JWT tokens be documented and handled to avoid security review issues, and what are the differences between session tokens and functional JWT tokens?
Answer
To properly document and handle JWT tokens for security review compliance: **Documentation Requirements for Non-Authentication JWT Tokens:** 1. **Purpose and Use Case**: Clearly explain the purpose and use case of JWT tokens, specifying they are not for authentication if applicable. 2. **Secure Handling**: Detail how tokens are generated, stored (using protected custom settings or metadata), and transmitted securely. 3. **Token Structure**: Describe the token's structure, including claims and their intended usage, ensuring no sensitive data is embedded. 4. **Security Measures**: Highlight encryption and signing mechanisms to prevent tampering or misuse. 5. **Token Lifecycle**: Document expiration policies and rotation mechanisms to align with best practices. 6. **Vulnerability Mitigation**: Address potential vulnerabilities and mitigation strategies, referencing Salesforce's secure coding guidelines. **Differences Between Session Tokens and Functional JWT Tokens:** - **Session Tokens**: Tied to a user session for maintaining authentication and authorization within that session. They are short-lived but vulnerable if exposed or improperly handled, such as being logged in debug statements or shared insecurely. - **Functional JWT Tokens**: Self-contained tokens that include claims about the user or system and are signed to ensure integrity. Used for stateless authentication and can eliminate the need for session IDs. Require secure storage and protected private keys for signing. **Security Review Implications:** - **All JWT Types**: All types of JWTs are considered sensitive data and should never be logged. - **Implementation Fixes**: When implementing JWT token authentication fixes for re-submission, ensure secure storage of private keys, use acceptable self-signed keys, resolve runtime errors, and document all changes thoroughly. - **Storage Requirements**: Private keys must be securely stored using protected custom settings or protected metadata. This comprehensive approach ensures clarity and compliance during the security review process.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexBadCryptoAvoidHardcodedCredentialsInFieldDeclsAvoidHardcodedCredentialsInVarDeclsAvoidHardcodedCredentialsInVarAssignApexSuggestUsingNamedCredProtectSensitiveData
Question
How should JWT tokens be documented and handled to avoid security review issues, and what are the differences between session tokens and functional JWT tokens?
Recommended Answer Update
To properly document and handle JWT tokens for security review compliance: **Documentation Requirements for Non-Authentication JWT Tokens:** 1. **Purpose and Use Case**: Clearly explain the purpose and use case of JWT tokens, specifying they're not for authentication if applicable. 2. **Secure Handling**: Detail how tokens are generated, stored (using protected custom settings or metadata), and transmitted securely. 3. **Token Structure**: Describe the token's structure, including claims and their intended usage, ensuring no sensitive data is embedded. 4. **Security Measures**: Highlight encryption and signing mechanisms to prevent tampering or misuse. 5. **Token Lifecycle**: Document expiration policies and rotation mechanisms to align with best practices. 6. **Vulnerability Mitigation**: Address potential vulnerabilities and mitigation strategies, referencing Salesforce's secure coding guidelines. **Differences Between Session Tokens and Functional JWT Tokens:** - **Session Tokens**: Tied to a user session for maintaining authentication and authorization within that session. They're short-lived but vulnerable if exposed or improperly handled, such as being logged in debug statements or shared insecurely. - **Functional JWT Tokens**: Self-contained tokens that include claims about the user or system and are signed to ensure integrity. Used for stateless authentication and can eliminate the need for session IDs. Require secure storage and protected private keys for signing. **Security Review Implications:** - **All JWT Types**: All types of JWTs are considered sensitive data and should never be logged. - **Implementation Fixes**: When implementing JWT token authentication fixes for re-submission, ensure secure storage of private keys, use acceptable self-signed keys, resolve runtime errors, and document all changes thoroughly. - **Storage Requirements**: Private keys must be securely stored using protected custom settings or protected metadata. This comprehensive approach ensures clarity and compliance during the security review process.
Reasoning
The FAQ content is generally accurate and well-structured. I made minimal changes to improve readability and tone: changed 'they are short-lived' to 'they're short-lived' for a more conversational tone. The FAQ appropriately covers JWT documentation requirements, security handling, and storage requirements which directly relates to multiple security rules. For ApexBadCrypto: The FAQ discusses 'encryption and signing mechanisms' and 'secure storage of private keys' which relates to cryptographic implementations. For AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, and AvoidHardcodedCredentialsInVarAssign: The FAQ emphasizes 'secure storage using protected custom settings or metadata' and warns against improper handling, which directly addresses avoiding hardcoded credentials. For ApexSuggestUsingNamedCred: The FAQ's emphasis on secure storage methods aligns with using proper credential management. For ProtectSensitiveData: The FAQ explicitly states 'All types of JWTs are considered sensitive data and should never be logged' which directly relates to protecting sensitive information.
Reasoning References
Recommended Related Articles