OWASP
Created JSON Web Encryption Cheat Sheet
This PR closes #1225 . This is the draft of the JSON Web Encryption (JWE) Cheat Sheet for the OWASP Cheat Sheet Series.
🔹 Key Highlights:
- 📌 Introduction to JWE: Explains its structure, use cases, and differences from JWT.
- 🔐 Choosing Secure Encryption Algorithms: Covers AES-GCM, ECDH-ES, RSA-OAEP, and PBES2 with best practices.
- 🛡 Implementation Guidelines: Provides secure encryption and decryption examples in Python & Java.
- ⚠ Security Best Practices:
- Validation of
algandencheaders to prevent header manipulation. - Proper key management, avoiding nonce/IV reuse, and ensuring AEAD encryption.
- Secure storage recommendations (avoid localStorage/sessionStorage).
- Protection against replay attacks, token expiration policies, and TLS/SSL enforcement.
- Validation of
- ⚡ Common Pitfalls to Avoid: Covers weak algorithm risks, improper key handling, and compression vulnerabilities.
- 🔄 JWE vs JWS & JWT: Explains when to use each and how to combine JWE with JWS for integrity & confidentiality.
This draft follows OWASP ASVS cryptography best practices and aims to provide developers with a structured guide for securely implementing JWE.
Looking forward to feedback and improvements! 🚀
I suggest rather than dumping this here, you put it up on Google Drive and then get a bunch of people to collaborate with you. Should you decide to do that, I may even be able to find a few people way more qualified than me to review it. (No promises, but I certainly can try.)
To be fair I told Rohit to create this PR for review and not use GD ;) Rohit created also Google Dock for this: https://docs.google.com/document/d/1Nsb3TUVLvHnFHRxmr9sm7eBDo6-lhUnK2wuzrOTA2OE/edit?usp=sharing https://owasp.slack.com/archives/C073YNUQG/p1738686916585789
This reminds me of someone who has captured a bunch of notes during a lecture and then is trying to regurgitate the information in some coherent format. This approach seems a bit scattershot to me and I find it very difficult to follow and I probably understand the underlying concepts better than most.
I appreciate your detailed feedback. This cheat sheet was carefully structured based on extensive research, best practices, and my experience with JWE. The goal was to create a well-rounded, security-focused resource, but I understand the need to align it more closely with existing standards and refine its coherence.
To facilitate broader collaboration, I am creating a new Google Drive document where contributors can provide structured input. However, I want to ensure this remains a focused and security-driven effort rather than just an open-ended discussion. I welcome constructive contributions that help refine the content while maintaining its technical depth and practical applicability.
https://docs.google.com/document/d/1OXTeldzECNxxH3u9tb25rlf9unDRwYSgotldsQuvZZY/edit?usp=sharing
@caffeine-rohit - Thanks for being flexible with this. Let's move this review over to the Google Docs link until we get it closer to what we would like it to be. I will see if I can get a few others who have a reasonably strong cryptography background to also look at and comment on it. It may take me a bit to get to it though as I'm in the middle of gathering all my tax info to hand off to my CPA and also some ESAPI related questions have come up that I first need to deal with.
Hey @caffeine-rohit and @kwwall any progress on this PR?
Do you need any help here?
Hey Sir @mackowski I was occupied with some professional work, but I'm now free this summer. I'll dive back into the PR and refine the Cheat Sheet with input from the community. Thanks !!