Is there any security risk when TOKEN is added to HEADER and HTTPS is used to communicate?

in writing a WEB API, I now put TOKEN in the web request header HEADER and use HTTPS to communicate with the server.

will you be hijacked to TOKEN? A little worried about falsifying requests. Ask for advice ~ Thank you!

Dec.13,2021

token is used to ensure the trustworthiness of the data source. As for token itself, the security does not fall within its responsibility.
for example, if the information is generated with jwt, the information stored in it is not encrypted. He only ensures that the information in it is correct. For example, {id:12345} I use this data to generate a token , this token is divided into three pieces of information. The first paragraph is the header Header . The second part is our data Payload , through base64 encryption, the third part is the encrypted signature, generated by Header and Payload as well as our private key.
when the client accesses the server with this token , I will verify the integrity of the whole data through our private key. If verified, it shows that this information is credible. When the information is tampered with, for example, someone gets token and changes the data to {id:56789} , but he does not have a private key, so he cannot generate a correct signature. When the server verifies token , we know that the data has been tampered with, and then perform the corresponding processing.
this is the function of token to ensure the credibility of the data. Make sure that this token is within its limits of authority, but not beyond its limits, such as the information of other users.
of course, you can add other measures according to your needs, such as not wanting others to know the data in token , then you can encrypt this data.
or beware that this token will be obtained by others, as a result of the user's loss. That needs to be ensured by adding other means, such as verifying the visiting ip, such as setting a shorter expiration time, such as the HTTPS you use, or adding more validation, and so on. Reduce the chance of being stolen by increasing the theft cost of a third party.
you can think of token as the bank's banknote detector, which is responsible for verifying that the counterfeit banknotes are all real money. As for whether the money is stolen or obtained by a normal exchange, it is not controlled by the banknote detector, it is managed by the police uncle.

refer to
what is JWT-- JSON WEB TOKEN
server side authentication artifact-- JWT (1)
from-being-hijacked-and-used-to-pose-as-the-original-user"" Rel= "nofollow noreferrer" > What protects a JWT from being hijacked and used to pose as the original user?
What if JWT is stolen?
ide-handling-of-jwt-tokens" rel= "nofollow noreferrer" > Best practices for server-side handling of JWT tokens

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1eb4e93-2510.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1eb4e93-2510.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?