Any benefit of enabling JWE if I am using HttpOnly for JWT

Question

Goal: When using JWT, I need to secure cookies and mitigate XSS attack vector in clients.

I understand that a cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API in the client. The server can access the cookie to for session management (shipping cart, game scores, etc), personalization and, user behavior tracking but JavaScript code can no longer read and write to the cookie in the client. Reference:https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

Question: If I am able to enable HttpOnly, is there any practical gain to encrypt the JWT (JWE)? I see that encryption for the JWT is described on https://www.rfc-editor.org/rfc/rfc7516.

I have not seen posts to indicate that JWE has been a practical choice though.

I would appreciate your insight before I explore the deployment of JWE in production.

Answer 1

One potential benefit would be that if the JWT is encrypted, the client won't be able to view and tweak it manually. Even if there aren't any malicious scripts running, there may well still be several inquisitive users who know how to open the developer console and change things - to see what they can break, or gain privileges they shouldn't, or just for the heck of it. If the JWT is encrypted so that only you on the server can decrypt it, that makes things easier for you because the client has no way to change the payload without breaking it entirely (unless they have another JWT saved or found somewhere).