Skip to content

Instantly share code, notes, and snippets.

Avatar

Tanguy Krotoff tkrotoff

View GitHub Profile
@nickw444
nickw444 / README.md
Last active Apr 21, 2020
ga-z77x-d3h notes
View README.md
@samsch
samsch / stop-using-jwts.md
Last active Jul 31, 2020
Stop using JWTs
View stop-using-jwts.md

Stop using JWTs!

TLDR: JWTs should not be used for keeping your user logged in. They are not designed for this purpose, they are not secure, and there is a much better tool which is designed for it: regular cookie sessions.

If you've got a bit of time to watch a presentation on it, I highly recommend this talk: https://www.youtube.com/watch?v=pYeekwv3vC4 (Note that other topics are largely skimmed over, such as CSRF protection. You should learn about other topics from other sources. Also note that "valid" usecases for JWTs at the end of the video can also be easily handled by other, better, and more secure tools. Specifically, PASETO.)

A related topic: Don't use localStorage (or sessionStorage) for authentication credentials, including JWT tokens: https://www.rdegges.com/2018/please-stop-using-local-storage/

The reason to avoid JWTs comes down to a couple different points:

  • The JWT specification is specifically designed only for very short-live tokens (~5 minute or less). Sessions
@johntyree
johntyree / getBlockLists.sh
Last active Aug 5, 2020
Make one large blocklist from the bluetack lists on iblocklist.com
View getBlockLists.sh
#!/usr/bin/env sh
# Download lists, unpack and filter, write to stdout
curl -s https://www.iblocklist.com/lists.php \
| sed -n "s/.*value='\(http:.*=bt_.*\)'.*/\1/p" \
| xargs wget -O - \
| gunzip \
| egrep -v '^#'
You can’t perform that action at this time.