On the Security of token and session generated by jwt

now the project I am working on is separated from the front and rear ends, mainly the development of the api interface. The login logic is like this.
first, the user logs in with the account password. If it is correct, the user will automatically generate a token, and store the token in the redis, and return the token to the front end. After that, the front end will add a "X-TOKEN" header to the head of the http every time the api API is called, and the value is stored in it. You will then compare the token with the one in redis to see if it is successful.
the problem is that if someone intercepts and acquires this token value, for example, a user connects to his home"s wifi, and then designs an ajax to store the token value according to that logic and then accesses the api interface, isn"t it possible to get the data directly? where is the security of doing so?

Mar.13,2021

you can use session to attack
in the same way. To solve this problem, you have to rely on https


token not to solve security problems. Token is not to solve security problems. Token is not to solve security problems.


token is to solve cross-problem. And you said the problem of man-in-the-middle attack, design transport layer security, this is not the application layer can solve, as the above friend said, if you have an uneasy heart, then you'd better use https

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e89727-f56.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e89727-f56.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?