Week 10

Security Mindset

Handling Sensitive Data

Authentication & Authorization

Session Management

JWT

Spring Security

Practice

Assignment

Back end Track

Under construction

<aside> 🚧

This page is currently under construction. Please check back later.

</aside>

Implementation plan:

  1. What is JWT — a self-contained, stateless token
  2. Why JWT exists — solving the stateful session problem
  3. JWT structure: header, payload, signature
  4. How signing works — the server signs, then verifies (HMAC or RSA)
  5. Standard claims: sub, iss, exp, iat
  6. Custom claims: adding roles, user info
  7. JWT lifecycle: issuance on login, sent with each request, verification on the server
  8. Token expiration and why short-lived tokens matter
  9. Access tokens vs refresh tokens — why both exist, the refresh flow
  10. Where to store tokens on the client (localStorage vs cookies — trade-offs)
  11. JWT limitations: can't be revoked easily, token size, payload is readable (base64, not encrypted)
  12. Session-based vs JWT-based: comparison and when to use which
  13. Exercise: decode a JWT on jwt.io and identify its parts

The HackYourFuture curriculum is licensed under CC BY-NC-SA 4.0

CC BY-NC-SA 4.0 Icons

*https://hackyourfuture.net/*

Found a mistake or have a suggestion? Let us know in the feedback form.