yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-12-27 15:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add Security configuration paragraph

Browse Source 
Mention option to set jwt secret code via `JWT_SECRET` environment variable
This commit is contained in:
Jozef Cipa 2020-01-02 15:55:07 +01:00 committed by GitHub
parent 169145b051
commit 9a91433176
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/3.0.0-beta.x/plugins/users-permissions.md
View File

@ -11,7 +11,7 @@ To access the plugin admin panel, click on the **Users & Pemissions** link in th
## Concept
When this plugin is installed, it adds an access layer on your application.
The plugin uses [`jwt token`](https://fr.wikipedia.org/wiki/JSON_Web_Token) to authenticate users.
The plugin uses [`jwt token`](https://en.wikipedia.org/wiki/JSON_Web_Token) to authenticate users.
Each time an API request is sent, the server checks if an `Authorization` header is present and verifies if the user making the request has access to the resource..
@ -435,3 +435,6 @@ You can update these template in the **Email Templates** tab in the admin panel.
- ...and every other fields that you added manually in the model.
- `CODE` corresponds to the CODE generated to be able confirm the user email.
- `URL` is the Strapi backend URL that confirm the code (by default `/auth/email-confirmation`).
## Security configuration
JWT tokens can be verified and trusted because the information is digitally signed. To sign a token a *secret* is required. By default Strapi generates one that is stored in `./your-app/extensions/users-permissions/config/jwt.json`. This is useful during development but for security reasons it's **recommended** to set a custom token via environment variable `JWT_SECRET` when deploying to production.