Rule ID
SV-274681r1143714_rule
Version
V1R1
CCIs
CCI-002007
By setting an expiration date on refresh tokens, the potential for abuse of a leaked token is reduced. Additionally, limiting their lifespan ensures tokens are regularly rotated, forcing users to reauthenticate periodically, which strengthens overall security and ensures access rights are up to date. This practice helps mitigate risks such as unauthorized access and session hijacking.
Verify API refresh tokens are configured to expire according to organizational defined parameters. If API refresh tokens are not configured to expire according to organizational defined parameters, this is a finding.
Build or configure API refresh tokens to expire according to organizational defined parameters.