29Mar
Is it secure to send JWT tokens in url query parameters if we use nonce to make it a one time token?
Websockets don't support sending auth tokens during websocket handshake as part of HTTP headers, rather only via query parameters. This has a security risk of leaking these tokens in server logs. However, if we create these JWT tokens with very short expiry and a nonce/jti and make it a one-time token, does it mitigate the risk? Anything I am missing or needs to be considered from a security perspective?
Other way of doing auth in websocket is to send the auth tokens as the first message after creating a websocket connection, but that also introduces risk of unauthenticated users creating server connections leading to potential DoS.