You're right, but the header information aren't clear enough. The package contains a one time id function (id which will only live for 30 seconds), which will reduce the moments, where hijackers can steal the id. Sure, it isn't a perfect solution, but it is a more secure one and helps against Local Storage copiers 😆
I would have added or used a user agent middleware on the server side. Compiling user agent information in the JWT and then checking through the middle ware. and if the user agent + headers arent the same then dont process the request.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
You're right, but the header information aren't clear enough. The package contains a one time id function (id which will only live for 30 seconds), which will reduce the moments, where hijackers can steal the id. Sure, it isn't a perfect solution, but it is a more secure one and helps against Local Storage copiers 😆
I would have added or used a user agent middleware on the server side. Compiling user agent information in the JWT and then checking through the middle ware. and if the user agent + headers arent the same then dont process the request.