From 4981240dea169a5bbdf31db18af62f9d474c495c Mon Sep 17 00:00:00 2001
From: Chris Halbersma <chris@halbersma.us>
Date: Fri, 11 Aug 2023 14:23:20 -0700
Subject: [PATCH 1/4] First Draft for JWT Best Practices Doc

* Ignores .idea files (pycharm ide)
* Index updated by make generate-site
* Added assets/JWTCSA as a place for assets and snippets
* Added a JWT Cheat Sheet Doc
* Fixed google_analytics in mkdocs.yaml
* Added pymdownx plugins for:
	* Admonitions (`blocks.details`)
	* Code Snippets (`snippets`)
	* Tabbed Content (`tabbed`)
* Pinned modern minimum versions on requirements.txt
---
 .gitignore                      |   1 +
 Index.md                        | 160 ++++++++++++++++---------
 assets/JWTCSA/0-verification.md |  49 ++++++++
 cheatsheets/JWT_Cheat_Sheet.md  | 200 ++++++++++++++++++++++++++++++++
 mkdocs.yml                      |  13 ++-
 requirements.txt                |  14 +--
 6 files changed, 370 insertions(+), 67 deletions(-)
 create mode 100644 assets/JWTCSA/0-verification.md
 create mode 100644 cheatsheets/JWT_Cheat_Sheet.md

diff --git a/.gitignore b/.gitignore
index b7f244cba9..2d61057b9d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ news.xml
 package-lock.json
 yarn.lock
 venv
+/.idea
diff --git a/Index.md b/Index.md
index 504b52d900..2e3a39a31e 100644
--- a/Index.md
+++ b/Index.md
@@ -1,158 +1,200 @@
-# Introduction
+# Index Alphabetical
 
-**64** cheat sheets available.
+**86** cheat sheets available.
 
 *Icons beside the cheat sheet name indicate in which language(s) code snippet(s) are provided.*
 
-[A](Index.md#a) [B](Index.md#b) [C](Index.md#c) [D](Index.md#d) [E](Index.md#e) [F](Index.md#f) [H](Index.md#h) [I](Index.md#i) [J](Index.md#j) [K](Index.md#k) [L](Index.md#l) [M](Index.md#m) [N](Index.md#n) [O](Index.md#o) [P](Index.md#p) [Q](Index.md#q) [R](Index.md#r) [S](Index.md#s) [T](Index.md#t) [U](Index.md#u) [V](Index.md#v) [W](Index.md#w) [X](Index.md#x)
+[A](Index.md#a) [B](Index.md#b) [C](Index.md#c) [D](Index.md#d) [E](Index.md#e) [F](Index.md#f) [G](Index.md#g) [H](Index.md#h) [I](Index.md#i) [J](Index.md#j) [K](Index.md#k) [L](Index.md#l) [M](Index.md#m) [N](Index.md#n) [O](Index.md#o) [P](Index.md#p) [Q](Index.md#q) [R](Index.md#r) [S](Index.md#s) [T](Index.md#t) [U](Index.md#u) [V](Index.md#v) [W](Index.md#w) [X](Index.md#x) 
 
 ## A
 
-[Access Control Cheat Sheet](cheatsheets/Access_Control_Cheat_Sheet.md).
+[Authorization Cheat Sheet](cheatsheets/Authorization_Cheat_Sheet.md).
 
-[Attack Surface Analysis Cheat Sheet](cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.md).
+[AJAX Security Cheat Sheet](cheatsheets/AJAX_Security_Cheat_Sheet.md). ![Json](assets/Index_Json.png) 
 
-[Authentication Cheat Sheet](cheatsheets/Authentication_Cheat_Sheet.md).
-
-[AJAX Security Cheat Sheet](cheatsheets/AJAX_Security_Cheat_Sheet.md). ![Json](assets/Index_Json.png)
+[Access Control Cheat Sheet](cheatsheets/Access_Control_Cheat_Sheet.md).
 
 [Abuse Case Cheat Sheet](cheatsheets/Abuse_Case_Cheat_Sheet.md).
 
-[Authorization Testing Automation Cheat Sheet](cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png)
+[Authorization Testing Automation Cheat Sheet](cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) 
+
+[Authentication Cheat Sheet](cheatsheets/Authentication_Cheat_Sheet.md).
+
+[Attack Surface Analysis Cheat Sheet](cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.md).
 
 ## B
 
-[Bean Validation Cheat Sheet](cheatsheets/Bean_Validation_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png)
+[Bean Validation Cheat Sheet](cheatsheets/Bean_Validation_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) 
 
 ## C
 
-[Cross-Site Request Forgery Prevention Cheat Sheet](cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md). ![Html](assets/Index_Html.png)
-
-[Clickjacking Defense Cheat Sheet](cheatsheets/Clickjacking_Defense_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png)
+[Cryptographic Storage Cheat Sheet](cheatsheets/Cryptographic_Storage_Cheat_Sheet.md).
 
-[Cross Site Scripting Prevention Cheat Sheet](cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Html](assets/Index_Html.png) ![Ruby](assets/Index_Ruby.png)
+[Credential Stuffing Prevention Cheat Sheet](cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.md).
 
 [Choosing and Using Security Questions Cheat Sheet](cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.md).
 
-[Content Security Policy Cheat Sheet](cheatsheets/Content_Security_Policy_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png)
+[C-Based Toolchain Hardening Cheat Sheet](cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.md). ![C](assets/Index_C.png) ![Bash](assets/Index_Bash.png) 
 
-[Credential Stuffing Prevention Cheat Sheet](cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.md).
+[Cross-Site Request Forgery Prevention Cheat Sheet](cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md). ![Html](assets/Index_Html.png) 
 
-[Cryptographic Storage Cheat Sheet](cheatsheets/Cryptographic_Storage_Cheat_Sheet.md).
+[Content Security Policy Cheat Sheet](cheatsheets/Content_Security_Policy_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
+
+[Clickjacking Defense Cheat Sheet](cheatsheets/Clickjacking_Defense_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
+
+[Cross Site Scripting Prevention Cheat Sheet](cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md). ![Html](assets/Index_Html.png) 
 
 ## D
 
-[Deserialization Cheat Sheet](cheatsheets/Deserialization_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Python](assets/Index_Python.png)
+[DOM based XSS Prevention Cheat Sheet](cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
 
-[Docker Security Cheat Sheet](cheatsheets/Docker_Security_Cheat_Sheet.md). ![Bash](assets/Index_Bash.png)
+[Denial of Service Cheat Sheet](cheatsheets/Denial_of_Service_Cheat_Sheet.md).
 
-[Database Security Cheat Sheet](cheatsheets/Database_Security_Cheat_Sheet.md).
+[DotNet Security Cheat Sheet](cheatsheets/DotNet_Security_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Csharp](assets/Index_Csharp.png) ![Html](assets/Index_Html.png) ![Xml](assets/Index_Xml.png) ![Sql](assets/Index_Sql.png) 
 
-[DotNet Security Cheat Sheet](cheatsheets/DotNet_Security_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Csharp](assets/Index_Csharp.png) ![Html](assets/Index_Html.png) ![Xml](assets/Index_Xml.png) ![Sql](assets/Index_Sql.png)
+[Deserialization Cheat Sheet](cheatsheets/Deserialization_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Python](assets/Index_Python.png) 
 
-[DOM based XSS Prevention Cheat Sheet](cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png)
+[Docker Security Cheat Sheet](cheatsheets/Docker_Security_Cheat_Sheet.md). ![Bash](assets/Index_Bash.png) 
 
-[Denial of Service Cheat Sheet](cheatsheets/Denial_of_Service_Cheat_Sheet.md).
+[Database Security Cheat Sheet](cheatsheets/Database_Security_Cheat_Sheet.md).
+
+[Django REST Framework Cheat Sheet](cheatsheets/Django_REST_Framework_Cheat_Sheet.md). ![Python](assets/Index_Python.png) 
+
+[DOM Clobbering Prevention Cheat Sheet](cheatsheets/DOM_Clobbering_Prevention_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
 
 ## E
 
-[Error Handling Cheat Sheet](cheatsheets/Error_Handling_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Xml](assets/Index_Xml.png)
+[Error Handling Cheat Sheet](cheatsheets/Error_Handling_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Xml](assets/Index_Xml.png) 
 
 ## F
 
+[Forgot Password Cheat Sheet](cheatsheets/Forgot_Password_Cheat_Sheet.md).
+
 [File Upload Cheat Sheet](cheatsheets/File_Upload_Cheat_Sheet.md).
 
-[Forgot Password Cheat Sheet](cheatsheets/Forgot_Password_Cheat_Sheet.md).
+## G
 
-## H
+[GraphQL Cheat Sheet](cheatsheets/GraphQL_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) 
 
-[HTML5 Security Cheat Sheet](cheatsheets/HTML5_Security_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Html](assets/Index_Html.png) ![Json](assets/Index_Json.png) ![Shell](assets/Index_Shell.png)
+## H
 
 [HTTP Strict Transport Security Cheat Sheet](cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md).
 
+[HTTP Headers Cheat Sheet](cheatsheets/HTTP_Headers_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Xml](assets/Index_Xml.png) ![Php](assets/Index_Php.png) 
+
+[HTML5 Security Cheat Sheet](cheatsheets/HTML5_Security_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Html](assets/Index_Html.png) ![Json](assets/Index_Json.png) ![Shell](assets/Index_Shell.png) 
+
 ## I
 
-[Injection Prevention Cheat Sheet](cheatsheets/Injection_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png)
+[Injection Prevention in Java Cheat Sheet](cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.md).
 
-[Injection Prevention in Java Cheat Sheet](cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png)
+[Injection Prevention Cheat Sheet](cheatsheets/Injection_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) 
 
-[Input Validation Cheat Sheet](cheatsheets/Input_Validation_Cheat_Sheet.md). ![Java](assets/Index_Java.png)
+[Input Validation Cheat Sheet](cheatsheets/Input_Validation_Cheat_Sheet.md). ![Java](assets/Index_Java.png) 
 
-[Insecure Direct Object Reference Prevention Cheat Sheet](cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png)
+[Infrastructure as Code Security Cheat Sheet](cheatsheets/Infrastructure_as_Code_Security_Cheat_Sheet.md).
+
+[Insecure Direct Object Reference Prevention Cheat Sheet](cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.md).
 
 ## J
 
-[JAAS Cheat Sheet](cheatsheets/JAAS_Cheat_Sheet.md). ![Java](assets/Index_Java.png)
+[JAAS Cheat Sheet](cheatsheets/JAAS_Cheat_Sheet.md). ![Java](assets/Index_Java.png) 
+
+[JWT Cheat Sheet](cheatsheets/JWT_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Json](assets/Index_Json.png) 
 
-[JSON Web Token for Java Cheat Sheet](cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Json](assets/Index_Json.png) ![Sql](assets/Index_Sql.png)
+[Java Security Cheat Sheet](cheatsheets/Java_Security_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) 
+
+[JSON Web Token for Java Cheat Sheet](cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Json](assets/Index_Json.png) ![Sql](assets/Index_Sql.png) 
 
 ## K
 
 [Key Management Cheat Sheet](cheatsheets/Key_Management_Cheat_Sheet.md).
 
+[Kubernetes Security Cheat Sheet](cheatsheets/Kubernetes_Security_Cheat_Sheet.md). ![Json](assets/Index_Json.png) ![Bash](assets/Index_Bash.png) 
+
 ## L
 
-[Logging Cheat Sheet](cheatsheets/Logging_Cheat_Sheet.md).
+[Logging Vocabulary Cheat Sheet](cheatsheets/Logging_Vocabulary_Cheat_Sheet.md).
 
 [LDAP Injection Prevention Cheat Sheet](cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md).
 
+[Logging Cheat Sheet](cheatsheets/Logging_Cheat_Sheet.md).
+
+[Laravel Cheat Sheet](cheatsheets/Laravel_Cheat_Sheet.md). ![Html](assets/Index_Html.png) ![Php](assets/Index_Php.png) ![Sql](assets/Index_Sql.png) ![Bash](assets/Index_Bash.png) 
+
 ## M
 
 [Multifactor Authentication Cheat Sheet](cheatsheets/Multifactor_Authentication_Cheat_Sheet.md).
 
-[Mass Assignment Cheat Sheet](cheatsheets/Mass_Assignment_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Html](assets/Index_Html.png) ![Php](assets/Index_Php.png)
-
 [Microservices based Security Arch Doc Cheat Sheet](cheatsheets/Microservices_based_Security_Arch_Doc_Cheat_Sheet.md).
 
+[Mass Assignment Cheat Sheet](cheatsheets/Mass_Assignment_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Html](assets/Index_Html.png) ![Php](assets/Index_Php.png) 
+
+[Microservices Security Cheat Sheet](cheatsheets/Microservices_Security_Cheat_Sheet.md).
+
 ## N
 
-[NodeJS Security Cheat Sheet](cheatsheets/Nodejs_Security_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) ![Bash](assets/Index_Bash.png)
+[NPM Security Cheat Sheet](cheatsheets/NPM_Security_Cheat_Sheet.md).
+
+[NodeJS Docker Cheat Sheet](cheatsheets/NodeJS_Docker_Cheat_Sheet.md).
+
+[Nodejs Security Cheat Sheet](cheatsheets/Nodejs_Security_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Bash](assets/Index_Bash.png) 
+
+[Network Segmentation Cheat Sheet](cheatsheets/Network_Segmentation_Cheat_Sheet.md).
 
 ## O
 
-[OS Command Injection Defense Cheat Sheet](cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Shell](assets/Index_Shell.png)
+[OS Command Injection Defense Cheat Sheet](cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Php](assets/Index_Php.png) ![Shell](assets/Index_Shell.png) 
 
 ## P
 
 [Password Storage Cheat Sheet](cheatsheets/Password_Storage_Cheat_Sheet.md).
 
-[PHP Configuration Cheat Sheet](cheatsheets/PHP_Configuration_Cheat_Sheet.md).
-
 [Pinning Cheat Sheet](cheatsheets/Pinning_Cheat_Sheet.md).
 
+[Prototype Pollution Prevention Cheat Sheet](cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) 
+
+[PHP Configuration Cheat Sheet](cheatsheets/PHP_Configuration_Cheat_Sheet.md).
+
 ## Q
 
-[Query Parameterization Cheat Sheet](cheatsheets/Query_Parameterization_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Ruby](assets/Index_Ruby.png) ![Php](assets/Index_Php.png) ![Sql](assets/Index_Sql.png) ![Coldfusion](assets/Index_Coldfusion.png) ![Perl](assets/Index_Perl.png)
+[Query Parameterization Cheat Sheet](cheatsheets/Query_Parameterization_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Ruby](assets/Index_Ruby.png) ![Php](assets/Index_Php.png) ![Sql](assets/Index_Sql.png) ![Coldfusion](assets/Index_Coldfusion.png) ![Perl](assets/Index_Perl.png) 
 
 ## R
 
-[REST Security Cheat Sheet](cheatsheets/REST_Security_Cheat_Sheet.md).
-
 [REST Assessment Cheat Sheet](cheatsheets/REST_Assessment_Cheat_Sheet.md).
 
-[Ruby on Rails Cheat Sheet](cheatsheets/Ruby_on_Rails_Cheat_Sheet.md). ![Html](assets/Index_Html.png) ![Ruby](assets/Index_Ruby.png) ![Bash](assets/Index_Bash.png)
+[Ruby on Rails Cheat Sheet](cheatsheets/Ruby_on_Rails_Cheat_Sheet.md). ![Html](assets/Index_Html.png) ![Ruby](assets/Index_Ruby.png) ![Bash](assets/Index_Bash.png) 
+
+[REST Security Cheat Sheet](cheatsheets/REST_Security_Cheat_Sheet.md).
 
 ## S
 
-[Securing Cascading Style Sheets Cheat Sheet](cheatsheets/Securing_Cascading_Style_Sheets_Cheat_Sheet.md).
+[Server Side Request Forgery Prevention Cheat Sheet](cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Python](assets/Index_Python.png) ![Ruby](assets/Index_Ruby.png) ![Bash](assets/Index_Bash.png) 
 
-[SQL Injection Prevention Cheat Sheet](cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Php](assets/Index_Php.png) ![Sql](assets/Index_Sql.png) ![Vbnet](assets/Index_Vbnet.png)
+[Secure Product Design Cheat Sheet](cheatsheets/Secure_Product_Design_Cheat_Sheet.md).
 
-[Server Side Request Forgery Prevention Cheat Sheet](cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Python](assets/Index_Python.png) ![Ruby](assets/Index_Ruby.png) ![Bash](assets/Index_Bash.png)
+[Secure Cloud Architecture Cheat Sheet](cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet.md).
 
-[SAML Security Cheat Sheet](cheatsheets/SAML_Security_Cheat_Sheet.md).
+[SQL Injection Prevention Cheat Sheet](cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Php](assets/Index_Php.png) ![Sql](assets/Index_Sql.png) ![Vbnet](assets/Index_Vbnet.png) 
 
 [Session Management Cheat Sheet](cheatsheets/Session_Management_Cheat_Sheet.md).
 
+[Secrets Management Cheat Sheet](cheatsheets/Secrets_Management_Cheat_Sheet.md).
+
+[SAML Security Cheat Sheet](cheatsheets/SAML_Security_Cheat_Sheet.md).
+
+[Securing Cascading Style Sheets Cheat Sheet](cheatsheets/Securing_Cascading_Style_Sheets_Cheat_Sheet.md).
+
 ## T
 
 [Transaction Authorization Cheat Sheet](cheatsheets/Transaction_Authorization_Cheat_Sheet.md).
 
-[TLS Cipher String Cheat Sheet](cheatsheets/TLS_Cipher_String_Cheat_Sheet.md).
+[Transport Layer Protection Cheat Sheet](cheatsheets/Transport_Layer_Protection_Cheat_Sheet.md). ![Bash](assets/Index_Bash.png) 
 
-[Transport Layer Protection Cheat Sheet](cheatsheets/Transport_Layer_Protection_Cheat_Sheet.md). ![Bash](assets/Index_Bash.png)
+[TLS Cipher String Cheat Sheet](cheatsheets/TLS_Cipher_String_Cheat_Sheet.md).
 
-[Third Party Javascript Management Cheat Sheet](cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png)
+[Third Party Javascript Management Cheat Sheet](cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
 
 [Threat Modeling Cheat Sheet](cheatsheets/Threat_Modeling_Cheat_Sheet.md).
 
@@ -160,15 +202,15 @@
 
 [User Privacy Protection Cheat Sheet](cheatsheets/User_Privacy_Protection_Cheat_Sheet.md).
 
-[Unvalidated Redirects and Forwards Cheat Sheet](cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Ruby](assets/Index_Ruby.png) ![Php](assets/Index_Php.png)
+[Unvalidated Redirects and Forwards Cheat Sheet](cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Ruby](assets/Index_Ruby.png) ![Php](assets/Index_Php.png) 
 
 ## V
 
-[Virtual Patching Cheat Sheet](cheatsheets/Virtual_Patching_Cheat_Sheet.md). ![Html](assets/Index_Html.png)
-
 [Vulnerability Disclosure Cheat Sheet](cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.md).
 
-[Vulnerable Dependency Management Cheat Sheet](cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.md). ![Java](assets/Index_Java.png)
+[Virtual Patching Cheat Sheet](cheatsheets/Virtual_Patching_Cheat_Sheet.md). ![Html](assets/Index_Html.png) 
+
+[Vulnerable Dependency Management Cheat Sheet](cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.md). ![Java](assets/Index_Java.png) 
 
 ## W
 
@@ -176,6 +218,10 @@
 
 ## X
 
-[XML External Entity Prevention Cheat Sheet](cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Cpp](assets/Index_Cpp.png) ![Php](assets/Index_Php.png)
+[XML Security Cheat Sheet](cheatsheets/XML_Security_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) ![Bash](assets/Index_Bash.png) 
+
+[XML External Entity Prevention Cheat Sheet](cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Cpp](assets/Index_Cpp.png) ![Php](assets/Index_Php.png) 
+
+[XSS Filter Evasion Cheat Sheet](cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.md). ![Html](assets/Index_Html.png) ![Php](assets/Index_Php.png) 
 
-[XML Security Cheat Sheet](cheatsheets/XML_Security_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) ![Bash](assets/Index_Bash.png)
+[XS Leaks Cheat Sheet](cheatsheets/XS_Leaks_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
diff --git a/assets/JWTCSA/0-verification.md b/assets/JWTCSA/0-verification.md
new file mode 100644
index 0000000000..ad7ad25773
--- /dev/null
+++ b/assets/JWTCSA/0-verification.md
@@ -0,0 +1,49 @@
+# Verification
+
+## `None` Examples
+
+### Java
+
+<!-- --8<-- [start:java] -->
+```
+// HMAC key - Block serialization and storage as String in JVM memory
+private transient byte[] keyHMAC = ...;
+
+...
+
+//Create a verification context for the token requesting
+//explicitly the use of the HMAC-256 hashing algorithm
+JWTVerifier verifier = JWT.require(Algorithm.HMAC256(keyHMAC)).build();
+
+//Verify the token, if the verification fail then a exception is thrown
+DecodedJWT decodedToken = verifier.verify(token);
+```
+<!-- --8<-- [end:java] -->
+
+### Python:pyjwt
+
+<!-- --8<-- [start:pyjwt] -->
+```
+try:
+    pyjwt.decode(encoded, key, algorithms=["HS256","ES256"])
+except Exception as error:
+    # handle exception here
+    raise error
+else:
+    continue
+```
+<!-- --8<-- [end:pyjwt] -->
+
+### NodeJS:Jose
+
+<!-- --8<-- [start:jose] -->
+```
+const { payload, protectedHeader } = await jose.jwtVerify(jwt, secret, {
+  algorithms: "HS256"
+})
+
+console.log(protectedHeader)
+console.log(payload)
+```
+<!-- --8<-- [end:jose] -->
+
diff --git a/cheatsheets/JWT_Cheat_Sheet.md b/cheatsheets/JWT_Cheat_Sheet.md
new file mode 100644
index 0000000000..bc4fd53343
--- /dev/null
+++ b/cheatsheets/JWT_Cheat_Sheet.md
@@ -0,0 +1,200 @@
+# JWT Cheat Sheet
+
+## Introduction
+
+Many applications use **JSON Web Tokens** (JWT) to allow the client to indicate its identity for further exchange after 
+authentication and to securely transmit data.
+
+From [JWT.IO](https://jwt.io/introduction):
+
+> JSON Web Token (JWT) is an open standard ([RFC 7519](https://tools.ietf.org/html/rfc7519)) that defines a compact and 
+> self-contained way for securely transmitting information between parties as a JSON object. This information can be 
+> verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the **HMAC** algorithm) 
+> or a public/private key pair using **RSA** or **ECDSA**.
+
+JSON Web Token is used to carry information related to the identity and characteristics (claims) of a client. This 
+information should signed by the server in order for it to detect whether it was tampered with after sending it to the 
+client. This will prevent an attacker from changing the identity or any characteristics (for example, changing the role 
+from simple user to admin or change the client login).
+
+This token is created during authentication (is provided in case of successful authentication) and is verified by the 
+server before any processing. It is used by an application to allow a client to present a token representing the user's 
+"identity card" to the server and allow the server to verify the validity and integrity of the token in a secure way, 
+all of this in a stateless and portable approach (portable in the way that client and server technologies can be 
+different including also the transport channel even if HTTP is the most often used).
+
+## Token Structure
+
+Token structure example taken from [JWT.IO](https://jwt.io/#debugger):
+
+`[Base64(HEADER)].[Base64(PAYLOAD)].[Base64(SIGNATURE)]`
+
+```text
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
+eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
+TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
+```
+
+Chunk 1: **Header**
+
+```json
+{
+  "alg": "HS256",
+  "typ": "JWT"
+}
+```
+
+Chunk 2: **Payload**
+
+```json
+{
+  "sub": "1234567890",
+  "name": "John Doe",
+  "admin": true
+}
+```
+
+Chunk 3: **Signature**
+
+```javascript
+HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), KEY )
+```
+
+And example of this jwt can be found [here](https://jwt.io/) on JWT.io signed with a symmetric key called `test` (obviously
+weak).
+
+
+## Objective
+
+This cheatsheet provides tips to prevent common security issues when using JSON Web Tokens (JWT).
+
+## Consideration about Using JWT
+
+Even if a JWT token is "easy" to use and allow to expose services (mostly REST style) in a stateless way, it's not the 
+solution that fits for all applications because it comes with some caveats, like for example the question of the 
+storage of the token (tackled in this cheatsheet) and others. 
+
+If your application does not need to be fully stateless, you can consider using traditional session system provided by 
+all web frameworks and follow the advice from the dedicated [session management cheat sheet](Session_Management_Cheat_Sheet.md). 
+Especially for authenticating users, the use of tools like Oauth2 or OIDC backed by SAML has become an industry best
+practice, as it allows one SAML implementation/Server to integrate a large number of authentication best practices.
+Some of those tools use JWT's under the hood.
+
+## Issues
+
+### None Hashing Algorithm
+
+#### Symptom
+
+This attack, described [here](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/), occurs 
+when an attacker alters the token and changes the hashing algorithm to indicate, through the *none* keyword, that the 
+integrity of the token has already been verified. As explained in the link above *some libraries treated tokens signed 
+with the none algorithm as a valid token with a verified signature*, so an attacker can alter the token claims and 
+the modified token will still be trusted by the application.
+
+#### How to Prevent
+
+First, use a JWT library that is not exposed to this vulnerability, or use a library that allows you to specify which
+algorithms are considered acceptable and do not include (or explicitly exclude) the `none` algorithm. For example in
+[`pyjwt.decode`](https://pyjwt.readthedocs.io/en/stable/api.html#jwt.decode) (python) you can explicitly state which
+signature(s) is acceptable. Most libraries have fixed this issue, but as a rule, if you're using a symmetric key you 
+should explicitly set which libraries are allowed.
+
+Second (and not shown) is to use an asymmetric key to sign your jwts. In general, it should be seen as a best practice
+to use an asymetrc key to sign jwts rather than a symmetric key.
+
+#### Implementation Example Symmetric Key
+
+=== "Java Example"
+
+    --8<-- "JWTCSA/0-verification.md:java"
+
+=== "Python Example (`pyjwt`)"
+
+    --8<-- "JWTCSA/0-verification.md:pyjwt"
+
+=== "Javascript Example (`jose`)"
+
+    --8<-- "JWTCSA/0-verification.md:jose"
+
+
+### Token Sidejacking
+
+#### Symptom
+
+This attack occurs when a token has been intercepted/stolen by an attacker and they use it to gain access to the system 
+using targeted user identity. In part, this attack really can't be mitigated "in platform" as JWTs are generically stateless
+by design. 
+
+#### How to Prevent
+
+If you're using a jwt as a session token in the context of a webapp you should follow the 
+[Session Management Cheat Sheet](Session Management Cheat Sheet). But a more generic fix might be to use JWTs in conjunction
+with OIDC/OAUTH2 and utilize the replay protections those meta libraries provide. However, if you're looking to implement
+a similar solution you can utilize a `nonce`.
+
+Additionally, depending on your application and security designs; it might make sense to have your JWT tokens valid for
+short periods of time; especially in a "service to service" context where the service can regenerate a token at any time.
+There may be a performance concern associated with signing a jwt token on each request; but modern CPUs should be able to
+generate tokens without much consideration for all but the most abnormal workloads. This wouldn't eliminate the problem
+of token sidejacking, but it would limit the amount of time a successful sidejacking could be utilized.
+
+/// details | Stateful Considerations
+    type: warning
+
+Using a nonce in a multi-node environment will require state to be shared between each node. Generally this is done with
+a database table or a tool like [redis](https://redis.io/). If you're application is designed to be stateless, or if it's
+a microservices type architecture this approach may not be ideal, or might be somewhat difficult to utilize.
+///
+
+So in this example you're server would return a jwt with the `nonce` claim (along with the normal `nbf`, 
+`iat`, `exp` time based claims).
+
+/// details | ToDo: Nonce Recommendation
+    type: ToDo
+
+Find the "right way" to implement a nonce. Finding conflicting information about how it should work (just server verify, 
+just client verify, both verify); protections for simultaneous api calls etc...
+///
+
+### No Built-In Token Revocation by the User
+
+#### Symptom
+
+This problem is inherent to JWT because a token only becomes invalid when it expires. The 
+[`jti`](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.7) component of the specification is supposed to allow for the
+ability for token revocation on the server side. Additionally, if a public certificate is used and the library supports it,
+a signing certificate should be able to be revoked  and that should invalidate the jwt token(s) signed with it.
+
+#### How to Prevent
+
+/// details | Stateful Considerations
+type: warning
+
+Using a `jti` in a multi-node environment will require token ids to be shared between each node. Generally this is done 
+with a database table or a tool like [redis](https://redis.io/). If you're application is designed to be stateless, or 
+if it's a micro-services type architecture this approach may not be ideal, or might be somewhat difficult to utilize.
+///
+
+Use a `jti`.
+
+Use a publicly signed certificate to sign jwts and check for certificate revocation on validation.
+
+### Validate Common Claims
+
+TODO
+
+### Implement Buisness Logic post Validation
+
+TODO
+
+## Further Reading
+
+- [{JWT}.{Attack}.Playbook](https://github.com/ticarpi/jwt_tool/wiki) - A project documents the known attacks and potential security vulnerabilities and misconfigurations of JSON Web Tokens.
+- [JWT Best Practices Internet Draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bcp/)
+- [JWT.io Discussion Forum](https://community.auth0.com/c/jwt/8) (Hosted by [Auth0](https://auth0.com/))
+- [JWT Overview on Wikipedia](https://en.wikipedia.org/wiki/JSON_Web_Token)
+- [OpenID](https://openid.net/) - A larger framework to provide ways to connect JWT based authentication with other authentication
+  systems.
+- [JSON Web Encryption (JWE) RFC 7516](https://datatracker.ietf.org/doc/html/rfc7516) - A JWT like specification that includes
+  payload encryption.
\ No newline at end of file
diff --git a/mkdocs.yml b/mkdocs.yml
index ffd2e7dae5..67d2b9204b 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -11,9 +11,10 @@ copyright: ©Copyright 2021 - CheatSheets Series Team - This work is licensed un
 
 #Config
 docs_dir: cheatsheets/
-google_analytics:
-  - !!python/object/apply:os.getenv ["WORKFLOW_GOOGLE_ANALYTICS_KEY", "none"]
-  - auto
+extra:
+  analytics:
+    provider: google
+    property: !!python/object/apply:os.getenv ["WORKFLOW_GOOGLE_ANALYTICS_KEY", "none"]
 use_directory_urls: false
 plugins:
   - search:
@@ -56,6 +57,12 @@ markdown_extensions:
   - pymdownx.highlight
   - pymdownx.superfences # Required by Pygments
   - pymdownx.inlinehilite
+  - pymdownx.blocks.details
+  - pymdownx.snippets:
+      base_path:
+        ../assets/
+  - pymdownx.tabbed:
+      alternate_style: true
   - pymdownx.emoji:
       emoji_index: !!python/name:pymdownx.emoji.twemoji
       emoji_generator: !!python/name:pymdownx.emoji.to_svg
diff --git a/requirements.txt b/requirements.txt
index 6e2f73ce17..8cef8aee4d 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,7 +1,7 @@
-requests
-feedgen
-wheel
-mkdocs
-mkdocs-material
-pymdown-extensions
-Pygments
\ No newline at end of file
+requests>=2.31.0
+feedgen>=0.9.0
+wheel>=0.41.1
+mkdocs>=1.5.2
+mkdocs-material>=9.1.21
+pymdown-extensions>=10.1
+pygments>=2.16.1
\ No newline at end of file

From c2e3e2813a1ba43f50fbdb9c561cc0fac40f3748 Mon Sep 17 00:00:00 2001
From: Chris Halbersma <chris@halbersma.us>
Date: Mon, 14 Aug 2023 13:31:07 -0700
Subject: [PATCH 2/4] Fixes markdown linting errors.

---
 Index.md                       |   2 +-
 cheatsheets/JWT_Cheat_Sheet.md | 121 ++++++++++++++++-----------------
 2 files changed, 59 insertions(+), 64 deletions(-)

diff --git a/Index.md b/Index.md
index 2e3a39a31e..47bed710a5 100644
--- a/Index.md
+++ b/Index.md
@@ -100,7 +100,7 @@
 
 [JAAS Cheat Sheet](cheatsheets/JAAS_Cheat_Sheet.md). ![Java](assets/Index_Java.png) 
 
-[JWT Cheat Sheet](cheatsheets/JWT_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Json](assets/Index_Json.png) 
+[JWT Cheat Sheet](cheatsheets/JWT_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Json](assets/Index_Json.png) 
 
 [Java Security Cheat Sheet](cheatsheets/Java_Security_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) 
 
diff --git a/cheatsheets/JWT_Cheat_Sheet.md b/cheatsheets/JWT_Cheat_Sheet.md
index bc4fd53343..240569184c 100644
--- a/cheatsheets/JWT_Cheat_Sheet.md
+++ b/cheatsheets/JWT_Cheat_Sheet.md
@@ -2,26 +2,26 @@
 
 ## Introduction
 
-Many applications use **JSON Web Tokens** (JWT) to allow the client to indicate its identity for further exchange after 
-authentication and to securely transmit data.
+Many applications use **JSON Web Tokens** (JWT) to allow the client to indicate its identity for further exchange after
+ authentication and to securely transmit data.
 
 From [JWT.IO](https://jwt.io/introduction):
 
-> JSON Web Token (JWT) is an open standard ([RFC 7519](https://tools.ietf.org/html/rfc7519)) that defines a compact and 
-> self-contained way for securely transmitting information between parties as a JSON object. This information can be 
-> verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the **HMAC** algorithm) 
+> JSON Web Token (JWT) is an open standard ([RFC 7519](https://tools.ietf.org/html/rfc7519)) that defines a compact and
+> self-contained way for securely transmitting information between parties as a JSON object. This information can be
+> verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the **HMAC** algorithm)
 > or a public/private key pair using **RSA** or **ECDSA**.
 
-JSON Web Token is used to carry information related to the identity and characteristics (claims) of a client. This 
-information should signed by the server in order for it to detect whether it was tampered with after sending it to the 
-client. This will prevent an attacker from changing the identity or any characteristics (for example, changing the role 
-from simple user to admin or change the client login).
+JSON Web Token is used to carry information related to the identity and characteristics (claims) of a client. This
+ information should signed by the server in order for it to detect whether it was tampered with after sending it to the
+ client. This will prevent an attacker from changing the identity or any characteristics (for example, changing the role
+ from simple user to admin or change the client login).
 
-This token is created during authentication (is provided in case of successful authentication) and is verified by the 
-server before any processing. It is used by an application to allow a client to present a token representing the user's 
-"identity card" to the server and allow the server to verify the validity and integrity of the token in a secure way, 
-all of this in a stateless and portable approach (portable in the way that client and server technologies can be 
-different including also the transport channel even if HTTP is the most often used).
+This token is created during authentication (is provided in case of successful authentication) and is verified by the
+ server before any processing. It is used by an application to allow a client to present a token representing the user's
+ "identity card" to the server and allow the server to verify the validity and integrity of the token in a secure way,
+ all of this in a stateless and portable approach (portable in the way that client and server technologies can be
+ different including also the transport channel even if HTTP is the most often used).
 
 ## Token Structure
 
@@ -61,8 +61,7 @@ HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), KEY )
 ```
 
 And example of this jwt can be found [here](https://jwt.io/) on JWT.io signed with a symmetric key called `test` (obviously
-weak).
-
+ weak).
 
 ## Objective
 
@@ -70,15 +69,15 @@ This cheatsheet provides tips to prevent common security issues when using JSON
 
 ## Consideration about Using JWT
 
-Even if a JWT token is "easy" to use and allow to expose services (mostly REST style) in a stateless way, it's not the 
-solution that fits for all applications because it comes with some caveats, like for example the question of the 
-storage of the token (tackled in this cheatsheet) and others. 
+Even if a JWT token is "easy" to use and allow to expose services (mostly REST style) in a stateless way, it's not the
+ solution that fits for all applications because it comes with some caveats, like for example the question of the
+ storage of the token (tackled in this cheatsheet) and others.
 
-If your application does not need to be fully stateless, you can consider using traditional session system provided by 
-all web frameworks and follow the advice from the dedicated [session management cheat sheet](Session_Management_Cheat_Sheet.md). 
-Especially for authenticating users, the use of tools like Oauth2 or OIDC backed by SAML has become an industry best
-practice, as it allows one SAML implementation/Server to integrate a large number of authentication best practices.
-Some of those tools use JWT's under the hood.
+If your application does not need to be fully stateless, you can consider using traditional session system provided by
+ all web frameworks and follow the advice from the dedicated [session management cheat sheet](Session_Management_Cheat_Sheet.md).
+ Especially for authenticating users, the use of tools like Oauth2 or OIDC backed by SAML has become an industry best
+ practice, as it allows one SAML implementation/Server to integrate a large number of authentication best practices.
+ Some of those tools use JWT's under the hood.
 
 ## Issues
 
@@ -86,94 +85,90 @@ Some of those tools use JWT's under the hood.
 
 #### Symptom
 
-This attack, described [here](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/), occurs 
-when an attacker alters the token and changes the hashing algorithm to indicate, through the *none* keyword, that the 
-integrity of the token has already been verified. As explained in the link above *some libraries treated tokens signed 
-with the none algorithm as a valid token with a verified signature*, so an attacker can alter the token claims and 
-the modified token will still be trusted by the application.
+This attack, described [here](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/), occurs
+ when an attacker alters the token and changes the hashing algorithm to indicate, through the *none* keyword, that the
+ integrity of the token has already been verified. As explained in the link above *some libraries treated tokens signed
+ with the none algorithm as a valid token with a verified signature*, so an attacker can alter the token claims and
+ the modified token will still be trusted by the application.
 
 #### How to Prevent
 
 First, use a JWT library that is not exposed to this vulnerability, or use a library that allows you to specify which
-algorithms are considered acceptable and do not include (or explicitly exclude) the `none` algorithm. For example in
-[`pyjwt.decode`](https://pyjwt.readthedocs.io/en/stable/api.html#jwt.decode) (python) you can explicitly state which
-signature(s) is acceptable. Most libraries have fixed this issue, but as a rule, if you're using a symmetric key you 
+ algorithms are considered acceptable and do not include (or explicitly exclude) the `none` algorithm. For example in
+ [`pyjwt.decode`](https://pyjwt.readthedocs.io/en/stable/api.html#jwt.decode) (python) you can explicitly state which
+ signature(s) is acceptable. Most libraries have fixed this issue, but as a rule, if you're using a symmetric key you
 should explicitly set which libraries are allowed.
 
 Second (and not shown) is to use an asymmetric key to sign your jwts. In general, it should be seen as a best practice
-to use an asymetrc key to sign jwts rather than a symmetric key.
+ to use an asymetrc key to sign jwts rather than a symmetric key.
 
 #### Implementation Example Symmetric Key
 
 === "Java Example"
-
     --8<-- "JWTCSA/0-verification.md:java"
 
 === "Python Example (`pyjwt`)"
-
     --8<-- "JWTCSA/0-verification.md:pyjwt"
 
-=== "Javascript Example (`jose`)"
-
+=== "JavaScript Example (`jose`)"
     --8<-- "JWTCSA/0-verification.md:jose"
 
-
 ### Token Sidejacking
 
 #### Symptom
 
-This attack occurs when a token has been intercepted/stolen by an attacker and they use it to gain access to the system 
-using targeted user identity. In part, this attack really can't be mitigated "in platform" as JWTs are generically stateless
-by design. 
+This attack occurs when a token has been intercepted/stolen by an attacker and they use it to gain access to the system
+ using targeted user identity. In part, this attack really can't be mitigated "in platform" as JWTs are generically stateless
+ by design.
 
 #### How to Prevent
 
-If you're using a jwt as a session token in the context of a webapp you should follow the 
-[Session Management Cheat Sheet](Session Management Cheat Sheet). But a more generic fix might be to use JWTs in conjunction
-with OIDC/OAUTH2 and utilize the replay protections those meta libraries provide. However, if you're looking to implement
-a similar solution you can utilize a `nonce`.
+If you're using a jwt as a session token in the context of a webapp you should follow the
+ [Session Management Cheat Sheet](Session Management Cheat Sheet). But a more generic fix might be to use JWTs in conjunction
+ with OIDC/OAUTH2 and utilize the replay protections those meta libraries provide. However, if you're looking to implement
+ a similar solution you can utilize a `nonce`.
 
 Additionally, depending on your application and security designs; it might make sense to have your JWT tokens valid for
-short periods of time; especially in a "service to service" context where the service can regenerate a token at any time.
-There may be a performance concern associated with signing a jwt token on each request; but modern CPUs should be able to
-generate tokens without much consideration for all but the most abnormal workloads. This wouldn't eliminate the problem
-of token sidejacking, but it would limit the amount of time a successful sidejacking could be utilized.
+ short periods of time; especially in a "service to service" context where the service can regenerate a token at any time.
+ There may be a performance concern associated with signing a jwt token on each request; but modern CPUs should be able to
+ generate tokens without much consideration for all but the most abnormal workloads. This wouldn't eliminate the problem
+ of token sidejacking, but it would limit the amount of time a successful sidejacking could be utilized.
 
 /// details | Stateful Considerations
     type: warning
 
 Using a nonce in a multi-node environment will require state to be shared between each node. Generally this is done with
-a database table or a tool like [redis](https://redis.io/). If you're application is designed to be stateless, or if it's
-a microservices type architecture this approach may not be ideal, or might be somewhat difficult to utilize.
+ a database table or a tool like [redis](https://redis.io/). If you're application is designed to be stateless, or if it's
+ a microservices type architecture this approach may not be ideal, or might be somewhat difficult to utilize.
 ///
 
-So in this example you're server would return a jwt with the `nonce` claim (along with the normal `nbf`, 
-`iat`, `exp` time based claims).
+So in this example you're server would return a jwt with the `nonce` claim (along with the normal `nbf`,
+ `iat`, `exp` time based claims).
 
 /// details | ToDo: Nonce Recommendation
     type: ToDo
 
-Find the "right way" to implement a nonce. Finding conflicting information about how it should work (just server verify, 
-just client verify, both verify); protections for simultaneous api calls etc...
+Find the "right way" to implement a nonce. Finding conflicting information about how it should work (just server verify,
+ just client verify, both verify); protections for simultaneous API calls etc...
 ///
 
 ### No Built-In Token Revocation by the User
 
 #### Symptom
 
-This problem is inherent to JWT because a token only becomes invalid when it expires. The 
-[`jti`](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.7) component of the specification is supposed to allow for the
-ability for token revocation on the server side. Additionally, if a public certificate is used and the library supports it,
-a signing certificate should be able to be revoked  and that should invalidate the jwt token(s) signed with it.
+This problem is inherent to JWT because a token only becomes invalid when it expires. The
+ [`jti`](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.7) component of the specification is supposed to allow for the
+ ability for token revocation on the server side. Additionally, if a public certificate is used and the library supports it,
+ a signing certificate should be able to be revoked  and that should invalidate the jwt token(s) signed with it.
 
 #### How to Prevent
 
 /// details | Stateful Considerations
 type: warning
 
-Using a `jti` in a multi-node environment will require token ids to be shared between each node. Generally this is done 
-with a database table or a tool like [redis](https://redis.io/). If you're application is designed to be stateless, or 
-if it's a micro-services type architecture this approach may not be ideal, or might be somewhat difficult to utilize.
+Using a `jti` in a multi-node environment will require token IDs to be shared between each node. Generally this is done
+ with a database table or a tool like [redis](https://redis.io/). If you're application is designed to be stateless, or
+ if it's a microservices type architecture this approach may not be ideal, or might be somewhat difficult to utilize.
 ///
 
 Use a `jti`.
@@ -197,4 +192,4 @@ TODO
 - [OpenID](https://openid.net/) - A larger framework to provide ways to connect JWT based authentication with other authentication
   systems.
 - [JSON Web Encryption (JWE) RFC 7516](https://datatracker.ietf.org/doc/html/rfc7516) - A JWT like specification that includes
-  payload encryption.
\ No newline at end of file
+  payload encryption.

From 4dcaedfdb727637745544c344dfb9eb284290150 Mon Sep 17 00:00:00 2001
From: Christopher Halbersma <chalbersma@abtripv3.cam.mwguy.us>
Date: Sat, 28 Oct 2023 00:02:49 -0700
Subject: [PATCH 3/4] More work on this

* Still not ready
* Taking some feedback from our attempt to implement a jwt based
  auth scheme professionally.
* Recommends jwt symmetrically signed with jwks certificates as
  it seems like it will be the best supported and offers an
  upgrade/portability path to OIDC.
---
 .gitignore                      |   2 +
 Index.md                        | 118 ++++++++++++++++----------------
 assets/JWTCSA/0-verification.md |   1 -
 assets/JWTCSA/1-jwks.md         |  33 +++++++++
 assets/JWTCSA/jwks.png          | Bin 0 -> 21303 bytes
 assets/JWTCSA/jwks.puml         |  19 +++++
 cheatsheets/JWT_Cheat_Sheet.md  |  26 ++++++-
 7 files changed, 138 insertions(+), 61 deletions(-)
 create mode 100644 assets/JWTCSA/1-jwks.md
 create mode 100644 assets/JWTCSA/jwks.png
 create mode 100644 assets/JWTCSA/jwks.puml

diff --git a/.gitignore b/.gitignore
index 2d61057b9d..b47119dff7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,5 @@ package-lock.json
 yarn.lock
 venv
 /.idea
+/.kdev4/CheatSheetSeries.kdev4
+/CheatSheetSeries.kdev4
diff --git a/Index.md b/Index.md
index 47bed710a5..3ebf9540fd 100644
--- a/Index.md
+++ b/Index.md
@@ -8,19 +8,19 @@
 
 ## A
 
-[Authorization Cheat Sheet](cheatsheets/Authorization_Cheat_Sheet.md).
-
 [AJAX Security Cheat Sheet](cheatsheets/AJAX_Security_Cheat_Sheet.md). ![Json](assets/Index_Json.png) 
 
-[Access Control Cheat Sheet](cheatsheets/Access_Control_Cheat_Sheet.md).
-
 [Abuse Case Cheat Sheet](cheatsheets/Abuse_Case_Cheat_Sheet.md).
 
-[Authorization Testing Automation Cheat Sheet](cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) 
+[Access Control Cheat Sheet](cheatsheets/Access_Control_Cheat_Sheet.md).
+
+[Attack Surface Analysis Cheat Sheet](cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.md).
 
 [Authentication Cheat Sheet](cheatsheets/Authentication_Cheat_Sheet.md).
 
-[Attack Surface Analysis Cheat Sheet](cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.md).
+[Authorization Cheat Sheet](cheatsheets/Authorization_Cheat_Sheet.md).
+
+[Authorization Testing Automation Cheat Sheet](cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) 
 
 ## B
 
@@ -28,39 +28,39 @@
 
 ## C
 
-[Cryptographic Storage Cheat Sheet](cheatsheets/Cryptographic_Storage_Cheat_Sheet.md).
-
-[Credential Stuffing Prevention Cheat Sheet](cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.md).
+[C-Based Toolchain Hardening Cheat Sheet](cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.md). ![C](assets/Index_C.png) ![Bash](assets/Index_Bash.png) 
 
 [Choosing and Using Security Questions Cheat Sheet](cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.md).
 
-[C-Based Toolchain Hardening Cheat Sheet](cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.md). ![C](assets/Index_C.png) ![Bash](assets/Index_Bash.png) 
-
-[Cross-Site Request Forgery Prevention Cheat Sheet](cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md). ![Html](assets/Index_Html.png) 
+[Clickjacking Defense Cheat Sheet](cheatsheets/Clickjacking_Defense_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
 
 [Content Security Policy Cheat Sheet](cheatsheets/Content_Security_Policy_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
 
-[Clickjacking Defense Cheat Sheet](cheatsheets/Clickjacking_Defense_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
+[Credential Stuffing Prevention Cheat Sheet](cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.md).
+
+[Cross-Site Request Forgery Prevention Cheat Sheet](cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md). ![Html](assets/Index_Html.png) 
 
 [Cross Site Scripting Prevention Cheat Sheet](cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md). ![Html](assets/Index_Html.png) 
 
+[Cryptographic Storage Cheat Sheet](cheatsheets/Cryptographic_Storage_Cheat_Sheet.md).
+
 ## D
 
+[DOM Clobbering Prevention Cheat Sheet](cheatsheets/DOM_Clobbering_Prevention_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
+
 [DOM based XSS Prevention Cheat Sheet](cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
 
-[Denial of Service Cheat Sheet](cheatsheets/Denial_of_Service_Cheat_Sheet.md).
+[Database Security Cheat Sheet](cheatsheets/Database_Security_Cheat_Sheet.md).
 
-[DotNet Security Cheat Sheet](cheatsheets/DotNet_Security_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Csharp](assets/Index_Csharp.png) ![Html](assets/Index_Html.png) ![Xml](assets/Index_Xml.png) ![Sql](assets/Index_Sql.png) 
+[Denial of Service Cheat Sheet](cheatsheets/Denial_of_Service_Cheat_Sheet.md).
 
 [Deserialization Cheat Sheet](cheatsheets/Deserialization_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Python](assets/Index_Python.png) 
 
-[Docker Security Cheat Sheet](cheatsheets/Docker_Security_Cheat_Sheet.md). ![Bash](assets/Index_Bash.png) 
-
-[Database Security Cheat Sheet](cheatsheets/Database_Security_Cheat_Sheet.md).
-
 [Django REST Framework Cheat Sheet](cheatsheets/Django_REST_Framework_Cheat_Sheet.md). ![Python](assets/Index_Python.png) 
 
-[DOM Clobbering Prevention Cheat Sheet](cheatsheets/DOM_Clobbering_Prevention_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
+[Docker Security Cheat Sheet](cheatsheets/Docker_Security_Cheat_Sheet.md). ![Bash](assets/Index_Bash.png) 
+
+[DotNet Security Cheat Sheet](cheatsheets/DotNet_Security_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Csharp](assets/Index_Csharp.png) ![Html](assets/Index_Html.png) ![Xml](assets/Index_Xml.png) ![Sql](assets/Index_Sql.png) 
 
 ## E
 
@@ -68,31 +68,31 @@
 
 ## F
 
-[Forgot Password Cheat Sheet](cheatsheets/Forgot_Password_Cheat_Sheet.md).
-
 [File Upload Cheat Sheet](cheatsheets/File_Upload_Cheat_Sheet.md).
 
+[Forgot Password Cheat Sheet](cheatsheets/Forgot_Password_Cheat_Sheet.md).
+
 ## G
 
 [GraphQL Cheat Sheet](cheatsheets/GraphQL_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) 
 
 ## H
 
-[HTTP Strict Transport Security Cheat Sheet](cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md).
+[HTML5 Security Cheat Sheet](cheatsheets/HTML5_Security_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Html](assets/Index_Html.png) ![Json](assets/Index_Json.png) ![Shell](assets/Index_Shell.png) 
 
 [HTTP Headers Cheat Sheet](cheatsheets/HTTP_Headers_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Xml](assets/Index_Xml.png) ![Php](assets/Index_Php.png) 
 
-[HTML5 Security Cheat Sheet](cheatsheets/HTML5_Security_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Html](assets/Index_Html.png) ![Json](assets/Index_Json.png) ![Shell](assets/Index_Shell.png) 
+[HTTP Strict Transport Security Cheat Sheet](cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md).
 
 ## I
 
-[Injection Prevention in Java Cheat Sheet](cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.md).
+[Infrastructure as Code Security Cheat Sheet](cheatsheets/Infrastructure_as_Code_Security_Cheat_Sheet.md).
 
 [Injection Prevention Cheat Sheet](cheatsheets/Injection_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) 
 
-[Input Validation Cheat Sheet](cheatsheets/Input_Validation_Cheat_Sheet.md). ![Java](assets/Index_Java.png) 
+[Injection Prevention in Java Cheat Sheet](cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.md).
 
-[Infrastructure as Code Security Cheat Sheet](cheatsheets/Infrastructure_as_Code_Security_Cheat_Sheet.md).
+[Input Validation Cheat Sheet](cheatsheets/Input_Validation_Cheat_Sheet.md). ![Java](assets/Index_Java.png) 
 
 [Insecure Direct Object Reference Prevention Cheat Sheet](cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.md).
 
@@ -100,11 +100,11 @@
 
 [JAAS Cheat Sheet](cheatsheets/JAAS_Cheat_Sheet.md). ![Java](assets/Index_Java.png) 
 
-[JWT Cheat Sheet](cheatsheets/JWT_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Json](assets/Index_Json.png) 
+[JSON Web Token for Java Cheat Sheet](cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Json](assets/Index_Json.png) ![Sql](assets/Index_Sql.png) 
 
 [Java Security Cheat Sheet](cheatsheets/Java_Security_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) 
 
-[JSON Web Token for Java Cheat Sheet](cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Json](assets/Index_Json.png) ![Sql](assets/Index_Sql.png) 
+[JWT Cheat Sheet](cheatsheets/JWT_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Json](assets/Index_Json.png) 
 
 ## K
 
@@ -114,48 +114,48 @@
 
 ## L
 
-[Logging Vocabulary Cheat Sheet](cheatsheets/Logging_Vocabulary_Cheat_Sheet.md).
-
 [LDAP Injection Prevention Cheat Sheet](cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md).
 
-[Logging Cheat Sheet](cheatsheets/Logging_Cheat_Sheet.md).
-
 [Laravel Cheat Sheet](cheatsheets/Laravel_Cheat_Sheet.md). ![Html](assets/Index_Html.png) ![Php](assets/Index_Php.png) ![Sql](assets/Index_Sql.png) ![Bash](assets/Index_Bash.png) 
 
-## M
+[Logging Cheat Sheet](cheatsheets/Logging_Cheat_Sheet.md).
 
-[Multifactor Authentication Cheat Sheet](cheatsheets/Multifactor_Authentication_Cheat_Sheet.md).
+[Logging Vocabulary Cheat Sheet](cheatsheets/Logging_Vocabulary_Cheat_Sheet.md).
 
-[Microservices based Security Arch Doc Cheat Sheet](cheatsheets/Microservices_based_Security_Arch_Doc_Cheat_Sheet.md).
+## M
 
 [Mass Assignment Cheat Sheet](cheatsheets/Mass_Assignment_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Html](assets/Index_Html.png) ![Php](assets/Index_Php.png) 
 
 [Microservices Security Cheat Sheet](cheatsheets/Microservices_Security_Cheat_Sheet.md).
 
+[Microservices based Security Arch Doc Cheat Sheet](cheatsheets/Microservices_based_Security_Arch_Doc_Cheat_Sheet.md).
+
+[Multifactor Authentication Cheat Sheet](cheatsheets/Multifactor_Authentication_Cheat_Sheet.md).
+
 ## N
 
 [NPM Security Cheat Sheet](cheatsheets/NPM_Security_Cheat_Sheet.md).
 
+[Network Segmentation Cheat Sheet](cheatsheets/Network_Segmentation_Cheat_Sheet.md).
+
 [NodeJS Docker Cheat Sheet](cheatsheets/NodeJS_Docker_Cheat_Sheet.md).
 
 [Nodejs Security Cheat Sheet](cheatsheets/Nodejs_Security_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Bash](assets/Index_Bash.png) 
 
-[Network Segmentation Cheat Sheet](cheatsheets/Network_Segmentation_Cheat_Sheet.md).
-
 ## O
 
 [OS Command Injection Defense Cheat Sheet](cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Php](assets/Index_Php.png) ![Shell](assets/Index_Shell.png) 
 
 ## P
 
+[PHP Configuration Cheat Sheet](cheatsheets/PHP_Configuration_Cheat_Sheet.md).
+
 [Password Storage Cheat Sheet](cheatsheets/Password_Storage_Cheat_Sheet.md).
 
 [Pinning Cheat Sheet](cheatsheets/Pinning_Cheat_Sheet.md).
 
 [Prototype Pollution Prevention Cheat Sheet](cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) 
 
-[PHP Configuration Cheat Sheet](cheatsheets/PHP_Configuration_Cheat_Sheet.md).
-
 ## Q
 
 [Query Parameterization Cheat Sheet](cheatsheets/Query_Parameterization_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Ruby](assets/Index_Ruby.png) ![Php](assets/Index_Php.png) ![Sql](assets/Index_Sql.png) ![Coldfusion](assets/Index_Coldfusion.png) ![Perl](assets/Index_Perl.png) 
@@ -164,33 +164,29 @@
 
 [REST Assessment Cheat Sheet](cheatsheets/REST_Assessment_Cheat_Sheet.md).
 
-[Ruby on Rails Cheat Sheet](cheatsheets/Ruby_on_Rails_Cheat_Sheet.md). ![Html](assets/Index_Html.png) ![Ruby](assets/Index_Ruby.png) ![Bash](assets/Index_Bash.png) 
-
 [REST Security Cheat Sheet](cheatsheets/REST_Security_Cheat_Sheet.md).
 
-## S
-
-[Server Side Request Forgery Prevention Cheat Sheet](cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Python](assets/Index_Python.png) ![Ruby](assets/Index_Ruby.png) ![Bash](assets/Index_Bash.png) 
+[Ruby on Rails Cheat Sheet](cheatsheets/Ruby_on_Rails_Cheat_Sheet.md). ![Html](assets/Index_Html.png) ![Ruby](assets/Index_Ruby.png) ![Bash](assets/Index_Bash.png) 
 
-[Secure Product Design Cheat Sheet](cheatsheets/Secure_Product_Design_Cheat_Sheet.md).
+## S
 
-[Secure Cloud Architecture Cheat Sheet](cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet.md).
+[SAML Security Cheat Sheet](cheatsheets/SAML_Security_Cheat_Sheet.md).
 
 [SQL Injection Prevention Cheat Sheet](cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Php](assets/Index_Php.png) ![Sql](assets/Index_Sql.png) ![Vbnet](assets/Index_Vbnet.png) 
 
-[Session Management Cheat Sheet](cheatsheets/Session_Management_Cheat_Sheet.md).
-
 [Secrets Management Cheat Sheet](cheatsheets/Secrets_Management_Cheat_Sheet.md).
 
-[SAML Security Cheat Sheet](cheatsheets/SAML_Security_Cheat_Sheet.md).
+[Secure Cloud Architecture Cheat Sheet](cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet.md).
+
+[Secure Product Design Cheat Sheet](cheatsheets/Secure_Product_Design_Cheat_Sheet.md).
 
 [Securing Cascading Style Sheets Cheat Sheet](cheatsheets/Securing_Cascading_Style_Sheets_Cheat_Sheet.md).
 
-## T
+[Server Side Request Forgery Prevention Cheat Sheet](cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Python](assets/Index_Python.png) ![Ruby](assets/Index_Ruby.png) ![Bash](assets/Index_Bash.png) 
 
-[Transaction Authorization Cheat Sheet](cheatsheets/Transaction_Authorization_Cheat_Sheet.md).
+[Session Management Cheat Sheet](cheatsheets/Session_Management_Cheat_Sheet.md).
 
-[Transport Layer Protection Cheat Sheet](cheatsheets/Transport_Layer_Protection_Cheat_Sheet.md). ![Bash](assets/Index_Bash.png) 
+## T
 
 [TLS Cipher String Cheat Sheet](cheatsheets/TLS_Cipher_String_Cheat_Sheet.md).
 
@@ -198,18 +194,22 @@
 
 [Threat Modeling Cheat Sheet](cheatsheets/Threat_Modeling_Cheat_Sheet.md).
 
-## U
+[Transaction Authorization Cheat Sheet](cheatsheets/Transaction_Authorization_Cheat_Sheet.md).
 
-[User Privacy Protection Cheat Sheet](cheatsheets/User_Privacy_Protection_Cheat_Sheet.md).
+[Transport Layer Protection Cheat Sheet](cheatsheets/Transport_Layer_Protection_Cheat_Sheet.md). ![Bash](assets/Index_Bash.png) 
+
+## U
 
 [Unvalidated Redirects and Forwards Cheat Sheet](cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Ruby](assets/Index_Ruby.png) ![Php](assets/Index_Php.png) 
 
-## V
+[User Privacy Protection Cheat Sheet](cheatsheets/User_Privacy_Protection_Cheat_Sheet.md).
 
-[Vulnerability Disclosure Cheat Sheet](cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.md).
+## V
 
 [Virtual Patching Cheat Sheet](cheatsheets/Virtual_Patching_Cheat_Sheet.md). ![Html](assets/Index_Html.png) 
 
+[Vulnerability Disclosure Cheat Sheet](cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.md).
+
 [Vulnerable Dependency Management Cheat Sheet](cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.md). ![Java](assets/Index_Java.png) 
 
 ## W
@@ -218,10 +218,10 @@
 
 ## X
 
-[XML Security Cheat Sheet](cheatsheets/XML_Security_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) ![Bash](assets/Index_Bash.png) 
-
 [XML External Entity Prevention Cheat Sheet](cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Cpp](assets/Index_Cpp.png) ![Php](assets/Index_Php.png) 
 
+[XML Security Cheat Sheet](cheatsheets/XML_Security_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) ![Bash](assets/Index_Bash.png) 
+
 [XSS Filter Evasion Cheat Sheet](cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.md). ![Html](assets/Index_Html.png) ![Php](assets/Index_Php.png) 
 
 [XS Leaks Cheat Sheet](cheatsheets/XS_Leaks_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
diff --git a/assets/JWTCSA/0-verification.md b/assets/JWTCSA/0-verification.md
index ad7ad25773..dd0543a812 100644
--- a/assets/JWTCSA/0-verification.md
+++ b/assets/JWTCSA/0-verification.md
@@ -46,4 +46,3 @@ console.log(protectedHeader)
 console.log(payload)
 ```
 <!-- --8<-- [end:jose] -->
-
diff --git a/assets/JWTCSA/1-jwks.md b/assets/JWTCSA/1-jwks.md
new file mode 100644
index 0000000000..c32ac4a4f6
--- /dev/null
+++ b/assets/JWTCSA/1-jwks.md
@@ -0,0 +1,33 @@
+# JWKS
+
+## Generating a JWKS Key
+
+### Python:jwcrypto
+
+<!-- --8<-- [start:jwcrypto] -->
+
+```python
+import uuid
+from jwcrypto import jwk, jwt
+
+unique_kid = uuid.uuid4()
+
+this_nodes_jwk = jwk.JWK.generate(kty="RSA", size=4096, kid=str(unique_kid))
+
+public_key = this_nodes_jwk.export_public()
+
+# Publish to Datastore in Multinode system
+
+this_token = jwt.JWT(header={"alg": "RS256"},
+                     claims={"name": "example_system"}
+                     )
+
+this_token.make_signed_token(this_nodes_jwk)
+
+# For validation on jwt.io as an example
+encoded_token = this_token.serialize()
+public_key = this_node_jwk.export_public()
+private_key = this_node_jwk.export_private()
+```
+
+<!-- --8<-- [end:jwcrypto] -->
diff --git a/assets/JWTCSA/jwks.png b/assets/JWTCSA/jwks.png
new file mode 100644
index 0000000000000000000000000000000000000000..8c8bfa35df6592b406b64ec42eb797fa5804eea0
GIT binary patch
literal 21303
zcmeFZbySt>*DkyO2}z|>L<DITf^>IE2!c|J5NQx8krWVVRJt1x1O#aX1Oy}`1ZhcW
zke23~%e{Z^dCzzL_-c&v*Efb^>t1U;b>B0tdChA+p<1_<i12Cg5eNj4in6>80)crI
zfxw8u!-P+mD0r3OFAi4)16K<t=O^|LtXvUF4;&x3n7KZ%ylVdBs<o@D^J7t7UT1qV
zM^`rodmalX2lsECjBttw8(jm}|9p<Xfb)2!`n>GA-GaQN@aHV-rGBV9<`X=vpi9x1
z*&l2NG3lC{9iE#fM}2m`ulK^QJyf+0<L;Fy{^-@Mr1!GpUibJG4l}oM6fI<^r{^5(
zDac!&)U>_Dr_BBF;k?QuakGc*#^W~SIJ{Y7MTgNRz66(lx7Lu&r6szWmy><JtuDeD
zOmWAoPlO|H^vLF#Q?AUY{$OAI=H#Zk<E2zbGX9QLc2Ba5%8GNuSJSJf6lEEe0%bj&
z{yUltO_4LBcVvROi|adIiA_f>s9Yv#*|huZL4A(<`W!XZ{4Bk3V#Sd6hD@Kxl^ix1
zT|J9WulQ>o6Vr&vaf~y5<CNJq6ZWUDWu}lJZ^L~=dgaOR{bnuut6@x{9kbWfEIOY4
z=|g2a2~6=uC=Pi&pJu(sT~O&p<o$z+6Jsv9*vK3w$0OJG_lA-`=Y5rT)}fa7&L7pN
z39APZ*qA*VyBE;Tv^o?1hI5s}>TRq*@AS->sIV25%+CF8W2fuxg+`{I9@#fHV6^lN
z-kuC<EkGc&kt*^sx}GNMlO9H7U(cnSR|_9Xb&XO`&<))wekk=+LgGtF!Ozip#y#=R
zKMC%xx$HmtIofrv%tGe!moVSrOw6!1Z(h8bI!-yP&FHy4dfk#t@ayU!ZnULUMN+rp
zLZ#fRNdXSnYy#yLD)_4d0|N_zpbYQ_0|=LHLLmGVuA&f#rfZjwZ+T4{f<i)iGo<{I
z$99*$Q*jwMFMeb26+s}7!8y3yfw&~z-rhfo@9n^s2c=7baq5XkCJv4;KR7RSdluHh
z$>B~zLjxZlpX`Sh+J~*7WThsbI;98^h=}PL47tZts#KDCAJmftF78kx{K=jB{13N(
zbscQY?e!S9TGMn=pKT!!s271a-FvIUSeTdx$bO5K=R_XAfBw>k+kHhZfI2xjY0X$s
z3l9t1{_|(?KcD7nq_nla@OAq6F-gpWrxBbdCdi+U5S}y!lb9Cyy+Cu(LcX!uY3dq0
zs`{@?j0)@iYjaY8p;1w750MB&zDu8ft<Q1Q*3`A}@&^PB3OEQ92QCrywJkc|Z}VSY
zAL3#m{F$QYklNbXWH)Zlx5(d-m2LiD^L<mz7yTd;{!IF%CTRjTuUf^Q4`44|!$K(2
zgb-85d0pXuvOVv%`lCNm$ku79!Dnms3*2nJdeXC60)%v!h*uNx^5x5F@mxvA6qEU+
zzD%&z*qDlP0hrha*ANKh%NHVWE)XL8jV>W+FTtI<$TV4_cdY{(BL}^cSE>GQ|G@Qv
zy0f!$a%s8c*V&DY2J<gr^YfOzB2R<B6k@`E`qw^Q{Py~W=El!Y_3rCqsUnYgOg<)>
zep@kUk@P-j(pSElbm8v>KVj_buN!7rZcNmE`}QqcK_^5$Oj-BeFLN*#M&4U2e=m4=
z&T<UqQ1fVRd!Z*q;_3dzWPPLGc{=wFZ26COh7Z5K%CjFWudwPdZ;`0xctp5l*qf)8
zu=3-bTJYh{;_rdHu8N1f28Y9bW2cOFul1E=SDqfNmX4M`=t|(73c5%p5Fh{d&IzOp
zid?ZH8XKjE{;cgU_2*1ZPWGlt(2<hr6zZ_xU%dM>M=6?=MfCzUcAA(+iB(Us4Iy^K
zx4n-~c3AaGjQq|H7bojIG}A;C2((7Z+9jWCTf*VHn@|62yeAECAL`4Jv*}de9<BG_
zedpYhd@DJ+kKpe*U}5b1>Y}1uvKe6zb1znv;O|JjwF*x@`bwafiu-=7<Mr#;ExQvR
zEq+TYPE~YY_V2GwfAQjlz)G~A!C_B|5d5aqF`SVncBweKF^T`-&q_P0qU4(o@Ui3C
z29B7(Qs=XUP~~s6?fceY@ouoP>I{KjEN@g#`F7b>SblxQV_cV;n@cC;s8zf9o6D?b
zm<oCHL#``=n(x^H{rXs?VV&zTJbZ(o>fFq%>^esnOWo<o;p4k*^BphMlWuD3*osS&
z{I#xK9CZT&>Yf{L##nAc!Q=~NZ|#Olw1?ofuF1c8{rX-Lo<-efc!Dcc29}nV($a{$
z``=PU7Q2&L@V}5ysk+{Mgz<QHNjtfZ`tX+Bzo(3d!QWZzEl|O!7d<`x^V{Zjh1=>~
zvzdbf&!J(zmlx0DNY517+Pr2u_X}>Png2TaLB_x!Vbx7NQ;3CyWfRYA*#d^JhaFK9
zb~X_E05+xAwk?7tJw2UPZ8hYt(a!iE!t;CyqwqW3(|7k6DKitm|Gw#SyubcA5Ld{$
z&p+-vCKy#d-bEs!clxDQ=r*K$PZEWkex98kPknkS#K!hUCr?$DaLK5*Kr=%%maV@?
zpEr3Hf}qFBpvuYC#qc6HnT@7W&08k9=dd#ICLIA-xDCe}V#y?rx>f`Ky$dEPUX$(^
zrj|HP{UyN%I7CzAbOP1Z1G!&YLP$n$K6>=XVeG?K@TjDl56*Tn&hcbiV6F7^_3w}L
z^f+|Jvdh*s>}mZJa2ONt*q9J`ykP(HqX^6QbEhCxg_-^`vle<0mok!|)*6mv?Y*V`
zKvt6vzNV(8j%F9}s1b<TB|PdK6>o!V=fD4V6(xWU==0C~`~Cmko&si@`(JDN&nE<!
ziddL92x%TXYNEe~7zm=aA<A(ZRz=Y8@2?K`Cc5~vMKexSJk)F$#JrBlDl9xQG^A$)
zo=c^v**nt`5>DXus`|7|iWecxQEuOa%u$RSpt*k3S@~5=S}g`IvBBr~TZ&LL=h{%w
zFnDZ@tV4PARL3GVLRkSWdW5+E2JvKPf#P<i4M$NWBSKn49WRkX?`_%lJFM5Q<H<R^
zH~&&%+IU+?(0*ikVIiK^RFapsG&A#R|J*K4XoHKxEQaXy>$%qb*$;cu^TxUFe;BED
zVjPNR(|%U|xwki(dj}j*<u$8_h{&(6uM6~w?ykvNlCD$zxFfA$5RKYd==pGE#_@Z;
zMn&NRa8WRvVlDI2qcKf2h*K%?SvTI@t5|?QJ#zDC$=f9EY;S1|H}1?A^2y7K82p}_
z(|i_feMGbs))8u|s$rp_U%~YkdozYhj91szyyx18;*Mg!x|W?EY+1|%96ggatrax$
z&+o5QetB(|yf_u7^A(F)iODBXQBkkufjo4$>{YWXxnH>g24k}z^N!o(<3Wm$)Acdl
z;t)l{Ew2kibb=?xzZ<`>bZ5#01_hX)Z&u1}MYl6Bno)}N#tqYYcZaTcZc}}G|AQxb
zN5eT4jJik1L<ng`)(eC^+O)T9<%L#;OEs0yw<+bir1kE8<(pjB<$>nqEtNkTlc%Sr
z!S!&X^&jt5Sg{E7I~N|&A`^H`&o=6RM_rNN;L^nU1;#PrKx<gIzd6$)Q2y{+>S1#*
zL9;mphwi~@Y2)8}#Z)wi-gKt*2EW&=z{rxndS!{_M``IPr+!H;5*^^^{zSH;qwmrx
zZd|%A86~V}@I?&BJZavC+bpcC@tpdO6E%+nWHnL*9a>*p7TAVeh<`hBo<O}7-25R>
zzRrk_sL#a2B$$9|e|I-G$1Mw16Pth%&%@Z**e1qjb6O@@z@}BsVZ6%0hUjRF*F+Oz
z?;+A&qPb-mQZfU_1O*w%F6rv<ux~m1CZ5}H0SrVjk{0J&fpr>FG0#ro=tw57U@E8{
zfhdo`PXq(Q#>FM@Sk@8(=L`r4Fs^r(aGsV1;}LURYC5C4^U-q)pwZdym&uCJS0I--
zHR$@)3er+Sh?Z?X(@Yo7`g-9QA(!_sGne@f#NFVapch>LZ(zk3kOETmUVCqy_0`4u
z)QU|_kFf!L<uBjfUmMlTkmM$JIpxh~Kt_1}pKglL_aJ~cKu%6B_!ZpxE$hCfsi};p
zaGT8BfKVStxFPe04<8D~fATx`g<vQ!a54IRrL7(~Rd#l^xrK#kqpw35dLiL%A69#;
zjmSKqq@pSqkkTS%l>7)O60V(hc%kQd7$tXSNn&B?DJg~=b7d<wUu}TN)X`pL#x?if
zKR*pxxQdC3r#_Q8VdP#vqjK&oazfvyX(I-rLzx4GLrib*R<{shBOZ%@7QURx&|AGm
z2%TBBkejYtxdH(oFPBEt_0544Kcl3#HSAavy~xDG#L~eSs#b8Tx=cAk(r2vNsT6K(
zz;k7FRc%hVG9*6q#S0X{l3k;GQy;zEOmpyBm7rthaJ8?`dZXu7c6GH-PYgaKmqC_n
z@GZL^cwKK?_Zt15n)s~t50e}np<O};W6s~836GSN6v7@E85uJV`D$Ml*0F9&r_SmV
z3`9hTe}5Bp_tD;}O%w}{nXIg=q|ebV_;NDM+EimkX;tE&mkHoL=_c!GOfa7t{r&y3
zq}wY)MQxFEi(Lt&2Jg+$FwvI#MrAq`;_3qcZ#58${mJG2U!%AG@A&V3_ZbqI#l^*8
z-5}}Jc^}?1#YIHnV&r`OfrSqKuUR$5z*E3gA<U;U$>DJ1(zzy>4ief2Hy_oyJi3Sw
zzDbBnYcGKstF#kxo^I;v>jT6#;M{8xwKgaDPV1xZquP&}7Z8F(Ede+w#EBy#BY?*x
z{mxQxj>0H72TXZ+dE>C#d>l__U7lp%A?#_NV-X25AZKP~MB6>gCe8skK!{1cWfvbC
zEAJuYeSowdDHDIP-B+|R)hIPdL`?h*GJ27I=}0pm<Dc~&zoQt$Qq$4^vEKjWwO3Y#
zbo@0B{`0FVq0#495E5!DlHR&(*&ncmMuwz>>Cr6|Ag8ChOEOF^V`7>*0Z>jt@CJAI
z=zCfR#y{5{T_AhoMnU7*QMhBO@S|%GQUw@06Zz&wD;~1Heon%;v9Q2u!jB7Z)0~=E
zV8pShFQ{dBxZ34cr}vlPM}E6Y{Q|wH3Nk?0bgEGR*xuIzlHxF~6PP@hi<SbHR}g~m
zF!brEM`t?Mz48keF7ycm=L?fCN}kl+Wq^9(>hl@tz;ztL9w}>Q^b(kExlI7jdKyZ~
z!iF@MSs$-1M7~yrlCMyli;L^=LO1!1U!8H|kZa>orTiM8uz~W%X0-fQB%M&J-2wm)
zX+qeKaiYZB-0Pjx8+SaOM*{Sla)MJpAiBq-pgi`$2E6)h?b>;vR#tO&68~d3V`8Fm
z1tmT;NA5TnhKsxVLIR~s6T+Vw_N<By$sw2Vxi4~QX-PI1|DD16XK@~oG+_Z>zI=J{
z;zbC_P;?f11CE;VJ$8WG*IQxy0T9;$((%`?Uw5TpjZ5u@(B;zKWpr(#KB1%$@jdaZ
zvLCfpiSr`mhpoS+5T=!?TWWF&NzFb9HmiRdmzW;q5lt^LyRxF%Ra0M|A?g-J5!UZz
zJwSH(GP;81Lz}25%G})C+S~8!M8wn#jYod<r2K)B(>s_6(AA|D=giOfSkFH=PI`63
zFs(i0Vc&s30Re@OR^UY`67w4ro8|zDs;(d*q|yOEeP>vGfS>aK3MAM(sLAI!p=b^A
z??<h|6J*l=2ekpvV-rMmOOZ%%cQ>?lUtuYhr>mCkO#ed9ZV>vJibdFEz5}oq*x(^P
zA|~ZMR!E?heG|3cl{45IfN}7MkABVi_dhB3!T9I6w&Hp4HjB0h_WK{$>g_faF3!%)
z(FxiMKbn<qz(mZqk<b%=o8FA&uoNL_6h^tG+nZkPsz_{^Ry~4>5JJ7<WZgv~{)6n+
zv(rCQ&#(!$^AJ~sEO3c&v%3BH4hU4Yo*aC6vbp_B&B^JvQLPK0Ga{Os@{4b{Q|&WK
z4>%t5$`V+1#XB7BE(^qd7oVH{9B4lSRXboZF<4&RrMWq|)mVd2)!|#%x+|tDWd(hs
z+&Fm$0SFZ7#~uMTepGHRMoU_Vskm2_-Eh?QRYd^(CZhW0TAk^^+(>u|)f|8~fYPJ5
zCo1iRDY@@|^x9j2T7id$2dd3@ICbwW>_qa#R@j530NE-G|KQyDQ=4{jYGi(Th$*!@
z`^ABLji);c8d(#m{(O7)T64~aiuCy(bmr>#=`k7Cxi&XL8sjvqDsENXHNGQl!1Vw_
z?tA9%hU2Jo2F5)s16|dh8Sd%<7#1r}4uZ`fB-Fdg3D1Qm!3PyDl>D-g*RIKa+(ZYJ
z(|yCxxTX4h|1yJ4%;&{m_gCtnfI@G?>*hZNpL9@7iC$NH%|;&Fm~VW%7^UTSyD9OA
zOBCyQ4=SklDJB-yXydotck;8zm>m3=&#jQ)s!%=?SRoOVaj*UqFx){ky&?3$$r%tQ
zY4jXH1E$p<?<_1VYyz%Gcr6))%CJABOv8{91=#ae4+5cygx7Az<fIQ2ex#h*%Z>T|
zoe}<K8J`m$w+SMUihmyro@3L{lA|9sI(W9!>hR!TiI956^4R-}KAg=5gNzYfR`dec
zqhQyOpQ`R?)fn>7z=*SK>a&#)7l%~)!RgJ1v3w^M1d8=zC3;WiMM<QPvs0h7EIA(M
zV2xk^;qfKv)<Q-IV<Omwpv}O1uhhAv2ZWj5i;D%dc!&-xj2xNw7#3$w4gy5H4>q$E
z!h@p!1poem;lBn+kem*96hTNu{|kQt-_%@*5D4T|^<VvrFo^uuWv0E5=J53Ipj3o_
z@$uuwr7G2;9#UrsYDCct823YGPgM#ykXl1hHGv1Hj<wd-)|bpmci-x&<PBNb)LbF-
zccT__7RGyk6Y<$}JH<7RGOEXzgjH0u?sl5!@2SRuvFYh)bdkpr`B29aQ#x$MAzvm5
zgV~4Y=AF_(^S7}Q1cpu7!+}h@n-CI0)gl7W_lJwA7>J35GaT6OA(1HNu`v(K2p5++
z8y{&2E*6Rb;sib+wGoNp;vR}^g)McVH=}nW8GkqsqYM+)5F3ZE1UJV=f;uc4d|+>F
z^fjl@e?KrTs~4rqYEt+`_pce`yju1`etP<+1ZpXB^J|7}x_=)F9fbH%gudbG4?5%S
z3k$-XK;1Hs%x~4rb~0rTh|k_EVE+LMy;!R)hH8N~(Kq~(>OXfF#$X3u)xr`Z?gskz
zXO8%P-b2klLq8r7Jf1lg4x$Ot%72x#=pQT}<<WR+W2TlcHrYln2-63_uL@SF2#ASG
z0C>R`*$%#Wgs#Evrm#%Ao+9qH{3mWX*ZJ~w3XZ9RG3V1sN=nA^al8{$Ygs<RC~g@E
zXpuob%30q)F4^*9`wiFAQh+9W7C6Uk`(MJT9@Y6GzBG@k!xJbT>GI{LD^H<UrpjMI
zbNGB~t{tKX0BLPl{oBJN|5^Ri64S-yqtlZUYrQGI^Ha$9_d>VeE)c7L9kozRaC_%s
z_ZpX6PdVIf_YvlswLF*o=Leks^@EA!qq(`c1a8B&v(Itmy{P|o_+R(Exg~#;uR2-*
zjuuB>u&Sx94oP+KIT0P31;A1Lg4+yLx&PyuR_NrH)EWElBkFptjqnKxRTtl@08&o>
zxLTM4)>WEj^T$ADH+rdm1%HRAg*G+wc3OBG9${lC|Dk_!58O%Z-v$0>=P(duBL6)(
ziKCncd~I+{V-Yvjamz3*LI`oQHvK=V9J|qqy0Y1&K#posImRgVXS_+D`Z<7|VkY-g
z)VRT01ZX+gCgnypzSIwlO#=}OH|c|3VYN;7a%+gDNwzQC9_#IF^gh(7b@>GZ(drtF
z4XXkxA{X%!MH@?x9Jmp|x99qIMar<bJO<97QgmM#WPhL?@OmH1Ao;74+HpQuk;-wU
z=Ggh}@||P^xGaR}!2k8@sVWCUKR>@JOMFblVD#4psz2l1)!(Ck`}oFsL2PFX6ING>
zQ^VnNmOdbcTDz26;EA}1{sy3&o4Yg-ovq)OQy{Zt^P_ZKQa@zG@w2CVp3Xf*#9M8T
z4>Yig{Odf+yCPMd1HJ(b{{52rjSX-yf0k*Ye3`H4YjqJcg4YUw*RtS7;NMtJAn_RR
zMU-8D4}x(CZ;$a(ZNM2(KnD@wlK>?|2UO3rH3r$GOEK(sSkoAfu@H$D0ekmjDzY5i
zr1*v+L2S!5Sv$}Bf2LW(kT!wiqUezv-jAsemcel7G)Cam6-@sKWU{q0>=^ntitroa
zD@fr$2}B1Toa!@{Vle**mcKVdRC?HHoTrGG%U~sexP<7_-$b7t4z2EhdW%{^K-jZs
z+5_+=Gu*Ng0rggG$KNBU;D{XT2<rcKM?glyr~flS_1^-(Ury_PVX*!;{6N^NNnT$5
z#cvmkmLW`p{}#Oj3TP=`;Ok~egi&u&ZG(X@K#?kupi2>8$_QwfFLZ~J-QduDBVBoJ
zNDdfoW(h;?ewF?5{Cw-p=h)qlBA`+cbeUK7)dt$17E{p;*o#gIDBU}$>tvR7YMf^P
zME(5qG{F=Ok9h8XC`B=7WMssK3L|Hqotf#cef;p>j={n?mr+ejcHZ50_pt{dMcqyp
z|H^v-IvdhWCmHke^Rr*VD_je83w5A$IbeZ)k33%Dxf1|VE)-Di^$)rz8)*Nc%)@iQ
zd;}C6^J{Bs8yo3~i5>dT`v|>+JpW$hFb>!l=%b8M1OoA$33ax(zdrt;Gxl>dCkDdO
zY#akk;QF2%*lg1XSYI-=q#<KfUmC0AJojqaww!uctjKgsDB7n^JQN^EkNl9P7(u-S
zog_~~IfwlC?>KX&qz2UcH2hguJ@eKK)<qZ=tK*?(-_pbq{Pa*NBM-ZShy`9_xo2wN
zL@?OjsB>7!$9#;+;3I=GMvVqkQ6cx=r_E|i>BgA<``Z@x%t-8rN&5oN??M#0g#Vtp
zgTY!2!$NbM{pYR*HoL!1oBEP8zlbO9n0nL5sC$@@&z*q6vfjjt4A!i!nGP2sP96Rp
zpLpRoBB?LHN*4F6{Wa8@i`bWxhQcP#e=bEP8uLEDf4MI!u(Y&vK~vR14ywf6e-5N3
z`Okqj1ur3YlMnT6m~#ys;qK>D{(O9;QaxdN9O23zt6ukONjea|vBkZH;!>{rmG8)b
zOn2?&OmgjdSJkU5B=<GfFp5|J{f+xo%(iF$|4IHIugRE0(*;~yAcn1g0hayRpQH5M
zI}Umt&<oQ@x~X79K|#U7)xA9Oo|$`d_6tFS>?_wUjY(aU_;UKNQoIkE>fwL*jmx<1
zgL@nwtbe7CVjay<;#9!kQ-J=5XTZ<`zXioj2nl1DT_n?_Oa1RA0H%Ob)4h11gn>*G
zD_oQ)IlwJciM1|>QjDTk8P5UeEqihN3ec_SiW&+N@ZvaTr6|Z;_<Bc*LBKfnza6-W
zvJY|XU9~uq<hL2fb!t2nG;Q!6(^GuqSUa>&vuw3w;fpH>El|}sj`nCq5`27@M~@B<
z7c;(8w#7KsPI^p7+X6d~ExEh9yEax?RP%%SKX;LuntJr-cLs}EJXEjmN!Qn9S^_F6
zD!y@i1|C=KpRUM-2%?u8Pkg$k9$Igdd;B&@`|lUF!X4-ritC&1*Z}hO<p2<8!_AoJ
ztNM6M12bSi`@UX)tTRolTFdVGa(v2Iz&;H!_UDxMP7ffWa7ykvuRYtlZ$3#tI7t95
zXe_X@=z`pH!a}_wN<##O1!wM4lN&UDXhJ#A{_%IwMU$oic1Pek?QL!4^*{jtWkO{e
zd41C5c%!MNMtIA3r3qkAfurpB!zMy{;WF(U#Wh9XZ0}|5?{EJ3!>juy<{QTXgdbNz
zw_lwU7a|<s@zUnU9_AJi{@03Lx4^v#U6HkcJOWeO7p`3l1z5i)YVQDd4jjog#dGEA
zi9zBIE&f@p`9x)wUrFnH4mQn1**u}U^YO<%9x*YG-rGT_Vk?Uhp@4Ye=^4Q&Wn%E}
z6Qvj(6EbT*i209ur+j2kzFTbY5|BI)EIWVCepz%A4!>7!ne`S@irp|RJm4L%K4L7Z
z^RrWE8~8!O_~=zZ!KQ`k&sNwnt!}TjO&VnT2_!O)?jt%2;6#932@eguOex(of)8fQ
zIxN|utV;vuDO%?r=;>p9iaT(r*7ww_p&4(0+ariLcMQr1TpS!xF|l)KxEj5a`NvF<
zs1e+4dy5$884Q&ei=D0R3wvxBSz9l`23tS7CN962pKUA-<bnP7a%RjrCX=SCu+?=C
zBL^f(HA;NiP;qdk>M=>?NkWI4?$coA@JK?C{Yoa3|6ZBge(Xai4v#mEh5s(W!bji?
z!J2nt)Jz>l$^xo>0N2J+74q$^)@9MeY-}E*nydf)61^`UW$+pN*J=hbTi{Cip432#
z8FuTYn*llORf8B(T>PU}mMnAtEj_9oCzF|#h_imc)zRL_jdI_ZQ29<grV&iK-`fL3
zfsGSMfILMDWm98^eXwiqW5{9G-~N|%IM1&%jf@zG+VjFD1E=8V<92@L(;rCq8g2Ji
zCEfyC1zn6hn%?&o?LdV>9nIwxr2RL-j~O;;g+OmBhLawN@=r)e*x$dTtjmW-J$`L+
zhko>bGIjb|(U`VYf%_c#C0t%HX0V38i6iti%>hY3d-fYN+5fBzao)VCV`NA8k8@EX
z!>)my2vJaL)-A?CV!1p1FgGR3a)4V2_a6(ogkgc+R<}C=Ti{!eSpM-URn|!t*UW!5
z{4$afZEXJ+Cn4pI4hu^be{%C&M~0PDqSTp`yLv&Axt}ojwY7+7A2lhrrp(`bX4+*V
z7RewM@3_fJVVPaJ7^i94_3mTulHK#|Wjpw#^3nbDa$@-=gP3pe1@>YADz5t<HTp(f
zR)6!0rkIhrR?#z9i>GmGKKgsM`d{onZ=*=p)2k`QxHaQ^6zgfKWa}Y;zP7HONJXFK
z(y+_pDzg8PwQu546OdL<bgy4v{VZt#sU4CzA!N~@_>{)9rtANe$7SG9yIQXCi|Wt*
zfd*MvG#4VUwYz?e!3Ed&0RSXlWat<%0rI6yCEV+1x3G28<c50U)nRwc*CQL_hD?y}
z84|;sbW)a@bk`UI=hvm_@DlG`3&bJfxRX!lApXdVBU#eN3py8eKZ;chgG*Cxg&S+9
z`bnUkoWz%v(ePW5bLhS}+os6B(;?X+)J5)hvZch)pb|F~0CalRS(2z5hiMk!wtFVg
zg@|cr+?JG-Kv!>(Q%4V4;RNJt(sOEH+)GVCr8w=<Ppw>C1x!~wfd@ou9l%hxDKa;p
z8NHxeVk83Xo6?Fqf@DY;8JXQH4W3)qOka*cGBBOy3`+uX0uok)Dc+hfz(xq|pA$sW
z!Ed3&-i9FI9o(X(th@yLSJB;fz=0l!9zUS_D+7RnGA8CygDl1wq(p$81Q>FD1e9DO
zS#lvA9e{SrOh0_FdES#Cny3_grM9MKqR}s-)Y%hSWj1}8pI=;N270u0c=Q&mn_LL7
zc3sf(=i3yW()G8$zG7k5M<eRrCBXke_%DTKmG08&YPesD@CytqoVAJC*Sv1mf%a`Y
z+3o`R^8i1@<Lu-K2}v{%7h4p>(#sff%b<U`LP^=C&!z$bBzDxtPoIY087lRYQc)=d
zhlYj@u7Nybs`hb+A7X?-G!aMzY||CxAEl;KAD=uvc^pykXiia7(tTv~T{hP9S5ren
zdqA6d2RFO^{+WhpHQO5M`gCQm5aQ0!!4`AlrIAXY55DIwsxh<yEo^h-`)9+rp&7lG
zHo)M+dY=9EJMS76A^e5Y4HvfAaDi_cWS^Xzp0cB0%NXO17_p&eat@^GGEO7?NGaqb
zLI%-TUN>q1AJY%kmrYlivU73_Vbg(I1F*5}7A2pBv9mT>0gXa4V8p$HuNl`k2VgEh
zk-z3>Zaxc?SvRY|^i}BXj^(LQH4O4W@GXRnIb@CnPI^591A{!(xP|Vdz#MfJoNmA~
zv_g*R-!U6x3n8p7&Cg#y^X-7;2gWd*M4X`=jKHSgml}h#u5N62c(}7GHsoZmOI(sG
z^PKdrNU`!k{RAm}MlDXG{xb-`wztO`e8lvL-IoDWx%PD?h$51!4-XHw@`ythoPp54
zWjomP$Lm5EK_aYPHR!eY_+FN338pPlfr!T0!$Znzm(3KzJtTjUMKyL>ZG93R4Y=yW
z*w|Km;dH=KRdB^S1-EaeKm0<>#)$$o)6&e0nPy{9qsy<b@bE4Wh8*CRiNRm)Z!}$V
zva^khjUnNDg`>;L$~xmXp$W<`HL$?OhMJw7wPpsDPef_iBXAUf=+DKY8+z~V?*ZxK
zU3i+E<96~`J?{*Y340w_fCGFj-KO1@Av@?UdKVgxK$Qk-nJ)gMS>K<*=I6)So4r<+
z7oqtCJk`s<^T%so73YV&ezrqzDK20BJRFd$gJ}iKFd7Tak?j>5*H-~U2X)sXXOjt7
z%p6FPybC45A|hIa+M%HfJ**$lOA9$_d{an%83`zIcXLx~ZM1E^90U@gZYzD^zc`zC
zKo(>^*A@v!Ztw4#)HpMNO@B+5SY2MO1?bX%DZqXW^_-Z&w)C8St~-%02N2UidZ;mk
zsyb%Edh%@Ivx?3KUGe=GTZMND4)FV49bu4BQYyA%Lfc}Fb1gPHS`!oqWTd39s*gDD
z7H{tD{Zd;e5L--a@wI@Sh!DgO+p!PqJZ)yVgCvQ94r3s5N#d<E1!rYej97x|sps?u
zZtgk=$flbDybBq!j1%_9VfS|^qL?6Y!y>@_SIk9+JxJ)p*!kUfE(ne9{s!^erPY4t
zXMmEwq}ysfd-e?c`A|oU^wK4089r`5SsVckf%Qt&(?5<4nAh`Mnm*W%x_}nXyAVrR
zRrP4SdaBNC_4$*C$r{kTX-b{8CX9sxXct=;;+Sgmld|lHfhz<0h%UvF)8R(}^3cjr
zBvMLgz+<!UJwNqGZog`=Ca0^b3(@ybr(U{(GP%Bw@Of#O2RR2hH%J5W6K7VN@Cs>=
z(CJ$RV(vgkN%ps4XChP{aAXsp^>7N#wuCWkDXB(iGK!9UT?EbJ`pU}6Ra1%T7+nH1
zdW>Vg)Ap!AJfGx&I^6q9zWvXmqi7kKcVQ&x^^#LkQY6xt`mT!JrIzq=-CG%IX=ynW
zMJl|-?l$#19cuLRYZzpDAF(`9%YU=&2gJgjZ?}~c<s6_DKRR@up%tEQb*M-P)r2^a
zpYkrGL_!Bd(q$gcbma}31pxZR_4UZ9_7Q<&F@~hlQr`6>u=}x(Pb$FK<xZWOvvqEu
ztf{#H2|=hhz{gdj;Wux60qTlbkF%;GXf?sd3u+EO0I_h~EvBZTYS$lOPA=^$&htGz
z5(u1Gy_yGS0M=sktsZ9sx$awFPGEPhii#$eA`Fq<2hQ~(2YFZw|EPc(ny&;02kVuZ
z_<%bwO8L&OHW3z*AtCssOZteK;@kTA`l91U?WsfmVBwwhg^&#_Xy%EzbD7#k-z_m(
zo}ES4Fb$a9@uC>tf#wC@-ptz^0#5=FQV^s2Xe!#$>0@~-Wp?+`4mf#Eb_|vX3PQ)9
z9}l5wITVeNTe+YP#fz&+>y---?Lg5mTxz<=Dg7CU5<$;RRKws8anDWvsHOF@`yCJn
zbE`)nA~T$n+fc@dV$3Zs+XVYzD9Fnzp9p|XN+19HP2f)i#7wXUI7=afW>uwD??UzB
z3MoH;88+YZ1ws}$=TT`1C@qkmcD!VUylWd;dcr<`i$fl6CK#VWXQInhD}yz1#wsK@
zxW7W#n>l<x5Umzj=<p7H)ko(~Tu#1iXufg?mCsJz{U9RC`S<~qDT}>0PI+r<Yw)i_
z9TmlfYenn55Ifg@eiAd~P_f~a83Wt^;fl|G1o_%`!Q8M^TZGUfi3OUXkEIB$#(D36
zq!qyE>l?k0S&E&)EV|>*KrjL6H83zxZ{^Szda=MN#X_ipr2H+BPfj?5k0Jk-(@&$h
zmz{F!1%FzgeSe)e+?CYBrosEr_wW~$kFo9b9jvyKcU-YISXlbSN2c3#C%n+88Fqmd
zTRyyF8F+Wl0&$3#6ebSsFM@g%T|gPT4k?;G3xa?Nf2KfT2endh>zPT;0QJ&Mf~>T}
z@tE0lB_&E%!l5_X%v+e47FD}I#EH5tW$I*5PeC|pZ@<CA6XggHpa9Gh(w14cwhCa6
z-c*sCE!3|p8#h>aaEgZmnx|hF6nGl}#t_j8^cl4ZxL_03r<K1eE;VA@+6KGtNtY0d
z%t{XLU}s_q*k_BQFV*c9J$`I&&-IB95=_s=*sNO2CdgL7SG=A+4JUC}U%SN-6Tnju
z15wL`ar^OjbQC6Z{8@O&6@~5s)G_>E-H(<+log#CCxFG4zcvJ!MJy%dxy~Boz}X_%
zNE&{0x@|W8l5L&kUgbDBb^x+-V=qwb0`4mxA4IFFbL6TpvGI3*Pi44GLqNCo&cfnJ
zZZ-v!z^#H?v74UjAmc>s6=IDWv7ZyPIOMCD+!*IpasrqOsE#bX{<U0?M#2K0pKD&d
zA2F5$m;@s5MZK{!>GiKbi+`zA_4%M?m!m%R-Xf%;g8x$!w7u#0_p+kA&d)v_{<92#
zSX!m7lzmCa?1d=x3*6G>m+Hn8Vt<!5PG#=Y=@!7hU*B@Le!kh-+5*5-Xjom+8lRto
zMf(`s-l$L~4=jLSRlD%UTLE=(?}M1hyq0*#qo)9sM9+Vzie2cjJ=9Ui{?i6wz;5u3
z**tILmrqn=WO5??xhiDt)evU|Ql4zhViWZU7#0xc$~lE)KvMziO?#@YuCAPA9Pk-5
zN2n`JK6yRD$l1|u-f{VDQgZ!);l0I9c4IbuHfn3K?`$d|yv0TaYk(RCZ*K(Jt>4xv
zoD0BVu6s1wdeIB-fgT7~0fwpZIv;G#I66Ac-dfVFb$O7SmU6C&{bMvk|J{8By8GVP
z;weurifTVaTmM*t=y{4QW2yF6fuHAhK}$yJxKp;Cpb|;U0T!?|b$+IAu0}vIQTzA?
z0}9_mZ>1K=ef8v80<nUS!`NV%nVhJ<!$i&d1M2ubc~#+(>Wk3d&3Sav6oBO&O!+8b
zfXFNQOIzF9!C{I5nH|8d_I#orctJW6$pwP+wc}(+IeE}!KT%E*e7EVQXGVtSDycdm
zJrPf;+CADi##x}4ua*#%{5d`%B4T%EhwMrRWmkrjl*AnPMX*a+nzYc_!5oQuR4CvG
zHvq=vH$df%fq?;NA&2>{*+Go-F|}JT*a0f|G-*s)jN;FV{VK~6=p;mwYYvW&SL^W$
z7(OZnfA>5$Bx2AWaMdwtc92?^^)WmG-T;&y@0=6h;X^3<8ff_<<z1y^aI*xYDDZ>L
z`k(ieDTjQ87GzAr-ISUfYemh+m)${rGTxjL21?B$)zf#@kVqgH`|b1y6&KmOy}qGh
zM)tx+N)_fX9Nro?Q_xPpBR)(qoYJHjF$c0R2bF&dFEqQ9thu@Q=EHC5k944Ta(|~s
zOK`v1Q6q<h;q}j&M{*xs(xA%shL+lnX<^gAF@LZ%bU-Wp+8yP1W#}}n+32X@>NUR%
zxh;4~>wq~``{QM5s`}$@0PYuAM5_hput)ks8o1y2uw4cVB`AyDUP?^Exw}=3vups7
z@?-NPAVp{+{%JNg+yWIv@&U+{LltowHaH(C_0Ld5X06Rq3V02CoCj)XHrVExCPANA
zfTC?y(det)Z)RP1zXqa7)AgUG*e1MD|NDU7xy<OZSVJ{4SWJ3B)oGL5?4|zj1`;Hl
zi6W1!N{nhr$;fPeG)r>*73R$D3#8$YT>0p8?2dlE>|_2<WFScpG;6-lAX{V>fob|o
zQ1H>cI@iL6(C{XA)0}tHV#BsDGXg~#%fwJ^p3Pe3Rygr>8!c*JJv`Mwx|(j4vzCzs
zaDP^*|0ydlqzOF6=GDtf#cByW0y}x*AeMsIh}&Zr9BgA+tY7-`{EEHU5|Ol=Nu}-3
zF2mi&#z*5$jc#irFDLVfvjXd(yj+=SYLZ@&UZJ6NhNG34+4s07tr$ZfDaS`mEfYbH
zLc<uXK~=JO=r3I_|6um+k6IV}F~FmJ$4LXh3%0YoU7=Jt<i&Rih(FQq4}1^{;1+z)
zNiHh9K3Y+r>LalaoqAwU!>^Q^f5As<i#UJSLD2``m;XEtpQ}#l`0!9WWGVH0v{UU;
z&clLGHRuN9-r&JB^p30w{%urL>+w6isHkZ3V&XUMcRGGM(XTRmdX+{7cGC;q$N8iM
zb_Sn6#b3&_haz%KaGeE$HK)l(PbkJ9gAM}H-*OVSX$gP)ZQ*36S86a49D9!QL)|VE
zBfC{uIs9=)2WdySAT<_vbr+^me2(otKf@l(7%bZTmc_9z;j&fTv6SdfK%Evnkc1K8
ze$nCtR$v=AF~9^Nf{u_S3M)k$7232YxCJfR2;<TrnEg@rda=nq3@xiSAvQD~9v-5^
z6nFD_p|&s3NU=KOq^RgS^M+Wbsj2zMBXqP??UI%v&%N>>tBf{vqYG7gv<@$$zEvhe
zbu_Tqn$XE~{dy2<8IIpAQVI$MT!ytAr*WuuxJ7AK#;Z$Pe}{bbglL&_S^hX<SrJg?
z4p0IIIy(mDe))xT3arO^nG^=IEO^$xAR85guEC7MfhcGBlHCVw0NEfn^LX?K%J>=1
zdFc>p*Vdkdu)e`cNKR*GXWqd?**?i8TpHuOX=3fe0qhXg6<%k_1mbK_D2jmsjv-?^
z&+4^@U;cspkK&}41YHV06Po&Dh7$QKtgp2BXmC~<%-$ONFi1#!^YMauvi^3SOJ=ne
z=$Ba}u^OFcF#qV;7*dgw%l{Tg&Mi1tqJwE09jF%EOJZZQT1G%|wE6e+SH#@yVL0kQ
zhv4-emKXrv--$Iba#CyS*Gl_;K#9_~590%&2e|ksVp<wdl#BvWNt5El;souv44D3b
z4$CM+{@^80TO8nzZ!PsR)3!rB?iBi+DKJ7u1f^?wuI&!Qb_1qP7-ou(#+}9Lz@}{L
zX~Bi@?!sRXqdz#k@MA(5!fX!`1U~o_9B6@Hef4&pZ&Qp#dsJ<G{hfhLiWnW&7sJ3`
z;t<iINf<Yj8K7XH0~M#Yp8IR}psbA$Aqu()MMM!ml+&ZV?}u2dT2~b=M5y}U!~&K^
zHNG5%79L1@APhh!6PEmoZm|I$OpWnsIJmA&!GMrLIOP^a)m5nQfG(9f-6bmtvNMb&
zMOwmXT|FPn^X4`w!wdyT;|roB&>}_Lc$v9rw_xK{Q4x_^08v$*B8#971mmo$uXmcL
z(LS0`&XmT-r;a;%k+Of?`wDYCD9i!u1wN<lzWlCfeEb+@)4XloCi7V+0)yeOx*804
zDUJW(Z2+t{G}DVye}@LB#8MzR_VjutCnj9a1Q@zsCMF6y{S^1AhoV^wz+5TLAt5!=
zpE&MdV6XzfIlzvjok=^+oU4R*c$pR&$u2W79r^4$DBYE=yTfnw?4YQwa%*}(1|>UM
z8Vzb}2viNkme6pmfJo9H5JxZRJ<`%Lhh`Ombs*Y=SdBwvGU)M2qKruu<Q-n_6QDx{
z3DCuYZEPCQkqg{u>BZwR1OJ{?lgrPBpjlg22PPd?s+9{~0a&>VlrU|nJ4E)+WU-#3
z<zJs9pluyR@`o#cl}{ip>mtz^0aGb(_?^C@<>dcRD^#W*rQhGqkemeNREF;n^fl$Y
z8Afg@;KHuXWI~Zl^W@zPq@JuS<}tn7$-x$-D0?baw)OyN0W-e}5J13ZZ=YZGf>}3o
zC1l+<4LuAvfn*+>;FL%$xwG$mVstb~gSz>}_wU~iR+IBX=^#&%!V4oEK<jxIQuO1T
zZnZPotn})$T~r9KuJ!=aa`+RHfr=rzK)7?XXXidP2qO{G<d@?w(a?yPx8mvR4})d;
z9c;qB<VbjKX2N!O7gqK$VQSzld`s)nXKRBNk>BC31Ssa;hwB6~R3!PE0jJpy;1|Xt
ztW9O<Egu0mfzcH&Pfvh+ib;!N+6};_#q$^^^Hzoh1qFfoE`7XEPMRwIq#SG&LRQ`%
zr}Cq^Y}AxJ7b+2+0%mwV0E>2@+$Y=I(gKdF!dC%eH;73)LnvjC)fP(;z=|>V5W+5g
z(Pu+^(qlh_I9~zegnam1*;juv>x8_BLeoac_40${B$f$?et)L?JRUzbEJFooWK2#T
zfm^kfh&bE=87=hg$Ne#|$oEV#?>c}5yW|1d0;F?Ccf1MTUKo`KGW5ROddR<kyo7&L
z1;GY`b=B9@bb}E?jZ=za48)#&k7-6<(`2=iX|gNF;+%>XKcxOw&whZT0KM#eOBg4G
zgc=5O=3(?KN5&a=Eqw8p?-)D*%t93kRPb+LV5fSh2Z2n3zU5|KJOCSU*cIA#itVIP
zkXykPtgft#!ITxql(&YamDjGL5<5CNV6C*f`?4k=#2^_H(Ddb-5Ki4UeZW^lFpvUQ
zQiYZ#42mC}sV&dVeJ_8Y#-a{MTse|mzhvT#c8>Ft8(O3HnvgI*FjD7c2j#f6R|D!Z
zCN0?^OOrS_wK0&lZcf0E6uYN78s^_l>ok7y<pcp76Rv5l4$Sivf#$04Y&8$sZiF;9
zgVGKUz>eUNIm8I5KLfwg9!aMZGXC@D&)o%qa|U8_6%`eLU_z0OP#6H_11f;=kcIwY
zaET{w4q|_Ak76TT%;Vch2AORJ0}5)!!NbC*$@A0GDBHyPdNFL<w~O>_krKFsuM-n%
zoTenbNYG<t#N|MJ6sD5MuD1Ym10Ua*oxKT|L+Q*D%_le4-a`+D0XgG-45$@adf)$$
z@G$qcgj4bI@Z5vhA4m!5(DUPoeYu;wtnmQ~Ptblr;qn+92mkN@H@58zOHmrv3px%q
zKr<2r!^D>8;{`&=+?V|jSfPI*z4HZ1u(+f6Qg=l36^ZPtW(ha5=Mn)m7Y#m6fDXAf
zVn;3IMgBB4KKZ2$$I<dUi1_ixtOB=Etn$1IX?uo%SW)Rc14zOs>WU|2i*b>d9Qh3P
z7{shXc0am%dLm!3va#V&rN8U~dJPzNef>yB;ju;*XiKZ|AtAGY$RE73AGyA^W>jve
zlE#>k7<5e)k2+b@)647r#vNB%L6*FI{ej?8&)wBw5IaT`VfQV(z+m<SpMny8NxB&3
zYk(?8SMEvY?FbAFb88N{xk1R@vF-t0T`H=o*@usyRf?9g*16hv9lF+oD8_0-f7e-+
zoe~KwmAi*WquVNFV~jeRaTpcvPnZaNWajC40EN>QiyJad4mV;Np2!e%JOE5tGyr{p
zq(6cn?d!9sConRt1+p|)d#91I8A$6Vr0$F0LNK6|Yn>&Y*(ktf=O^sMk&MuLs~dV(
znX|yA`j-_+EYB`w<~~sG>2ZK9(S<by=Ut;Jdm70W+&fGtf$OZS>7s77;CF5-gIQ)<
zQa~5O2xE`<Nf2mzGBY#L8X;~&cM!d2Wo4a^?&kr0h28M>?z`l}b4JK;DX(9Xz3b`f
zS_Q!7U8z3e*Jgb*yS%L86a<m~M~U%qL56R3lEhgEAv<XKI5{|Mp;g{^ekS&5_5KHI
zzNh>4qQxy@J@hc>A|RH_R}FXx0?NLZJUtzqVU4pHCGzH(pSmHWG;1$%YU%@!gP)nP
zX1lVN-py6M?BwK>d_()K$U?#`w2rI=rZm(;A^{ZJ{wSu2q+$?t-Q3v$`KJ4(sc&Ln
zekeRY_nmwQ3vy79w(5^JTqI-FLe$jNb#9;Yk&uuu=~}173c>0ou;^2(CIEIh*=!+M
zV+RGgYy~AKqClIZE*J7zDT*G3PgJ3NV~6gBjojzQ+w&?)$91t>CJo-T&>BWF=kE+X
zz@NrU4a;p{(eh}XqgQMoPYuS0VEReb&TgvVQ$%gER$Wa^%?XTEa2Z?U$fX1}=YvRN
zzgoMg^AeIhAtuHd+!PovAX}1~^8wKSdzN?b<n-uPBb##e@-zhLiOI=z8=V>$$pV4b
z&bgFg{at7Yf?|WqsRS9zb98pzM$T*E4b(RkkI^*aMHI;U#H}sGA&Ec^0Cq~cMHM~k
z)oKJpI`D;C?;~I8@EJp255$n$Kw4a{gz$Ryr}6v~pq<cCLGMbS|7lG7<$tudKdkG>
zRe5~|1%r(#T615+z2DC0*JtsC1kH-Z5!mGy25v^6NlKi)pL?daM7^^pb?y{?K6uH@
zMvvKc4V3)~A*lc<@+~x><bjdy@5&z_l!L=;hd*Pv_<jp=Jj}$<7FOGj%C-m*%?f0G
z??4Yz*U5aA_JjD+goy$`;8zH{z4YR~vT}z;B_t!yE{k3THhlvubf4=-E;QY>32xj@
zRrX`gvmQ|QyH~ONtB;Ae>pCSG0dj>M_+pgdUx@g^a{W38d5({dq4nMM{d)zp+CiM2
zY4%Jp0OIkETHx}Mbo%pt=mMDl%>uOq^dry`Y4uwx58VTwF944_pzL#c<VO4C@baVy
z=(WoXjv&o0v)s`cuq#+g%2S*ycb;hm5_|v?#!Lon60rglm{7$4${qrfoXNZd%KfLF
zo)EmNz+7F|)LR&Po^C!DdJ)wQ^!(Gq?FY%>ea_2^i%KEu0<JtD)q#%%G(y9|X4{Pq
z!WIN#rQuFZs~s8KXx$jxuDZ<uJ+_Q|Axrz60fdySas7rzkfeY!frOw5c`7Y66{e-O
z(Ytn>5!KGURa?@N)prV2JII8<78OF~&uj&#o@`EINO{Yu_6I?|$PeNE9`py@ZuVfp
zg!>-MQP6Msi(Eo>%7(gZ%_`8Ugb>mFfYPFq4#uUDSJl(Slk$aOM5^#Wr6#Vw4?X1P
z@9z&;T_>b(lZuY6D>@uS1AKYDe8I<i5TD#6HN0X3VleTj^Xj1m1JD8@;3mkRh9SU$
z^+Ar@fDvHGS%22YJ&yMsj_W^a0Cx@4=F-(<ldG~ULtxA+pp6FI?;%trJtseI3DaJP
zh|ChM1$YHA8>{Zbet-pxekbo?Lw2iyYDEu^LFR?qvX-A_v|@%sn;U-ZftJ@dHE@uU
zf}#@638@?Cgrq4KL>(xneu8UQUwI791=*d1=4LJcc2F*|!@dA!02$Wu@85pVf_m`+
z@7FnfNcn4>*Cqr~WdW}yV0a4VQ97s6q%U4V?z6M9!Zft!WStvu7VzI9z*`V0Ao9$v
zufy<qBE%2|anBelSwJMyj5ahtQwn$n6hp(MfBH-G!%XoHN!IaSoum-lc+^U0`bX{r
zC`@3-)e66ZydH=+D$cvzVA6mu1%_es`oYjjfrx>{mogxRK0hOrj=H+!rdt%)Oj54`
zbdvloTRUHXvr*B|JOL;PxEPXP9@Iq;EjZu-0faybP-8yJ@H?x8PywwFqefqepKBGX
z6&3r?X1KpNTq@?a5=0ZBk=Zl&-a^Uu7{gko$)6ZFr&_2Vply$CngITSjetr}SWGN|
z{mue9XVjC6Lsbp%3SKqvsx?=huKt=6pj=9rhxfVL{jD>&7eyX55S*5z_;DTKD%<3L
z5qhb>p;^nyedY&p6wTv-)5B0dG%vQdw{6F()?r8v7V<qX?@)(o%YX7dd}SIeY5~#s
zex@`A6&2O}I4wz-MT2gO)7XcLQ`hdW?sMNvUK?<frc?W%g5fIH<WKnO)hn1{afQkm
z)OFBTj-(eUhnNhFF_=X*f<%Q*7Nh(ySqS(aCa-P5Jt3v(nn?TXy@Z}AtdMaYF|}Zf
zf|Al5`56x+KGO;D^QtjW#NA`U#EF3MuP$is&p~^S4LxfEZ*vfUY65Dn{*MK){>=(X
z*0SGWau9acF3NsO05@CC>g3hbQETITK`sdq(JxSB`SV>u#^AF#sm62ND?`apA_e-{
zjcS}BPDV3`wGml%1GHvGS?A`wXs+$xnt@0F-RHsgJ40;x=<d)R72n#@OGp&q1ww;y
zxDLD8$U`J#1`s6a0)(^ng_n<5`ci+N1DglKfm%B!BZD#Wxo}GP)`#AFbq3{0<ryEy
ziE~m%ur+WqC_TWQ`CnDpZ^d&q>&L_H>9F3sxec;k2%fn)zd<!p*3|^l8vF{wfmx1O
z!da;Nublw64sla3F|gX;k@iyIEgP@^MkRRNgw!^`@YjK=1e=hkRA4xZ4+zV`-C@ZR
zYmq(9uuJ!?AT*OR?K*d9Ed2W%UjZ6IwN#qMi5ZR)p#sLQl(Pe2WMuj_{DHCFCfOGU
zM@L5o2Y4O@h3%(O=O=fJvcE%k`20)*={Nz(zvQ6z1><#YoOTET!tJ$D{)XB@81+Hl
zn-1FzRMXW9gw$9VSgHa3?_od>iGzs~i-}<&_s{j&urb@7Uqv-h<56qj2jg}_<|V!&
z-jOgy<>z+}`k4^kA?$z8MNOE9&WDE_5Tjv!jDU*A8=dY`eeH>WcdT(+jeq_6^;Yy`
z%_C-sv`w*A@EwqlWQ@f?g#=_Hykx?TC*7quc){<J!BP=)zbHZ20+ZRGf|+@%{PW`z
z7%#ti!ny!pQX!1|A~EsVRM_r6Hj_!Nh|>)ql>G|SY2~iVI<!;hS8?zbWL!eJ8VWn*
z$Ux2lL;xaCa}S%7o_OwYfUmq@TCn_3lMmoIev20R^6r%o>P;yd|Nif(bC?&ctF3*X
zz_rnaZljeLCEe8VoCX2_{A9b4Vj1k+;wnm-J%W&WYZ`*ZAWTDrQu0ZQ$I?a90?jBf
z;|OR5{D@^DGCaIUD+}{iq}H|A$1F!36v)|!^XQj*7=N(VW@Kbse+w?DeVc$JA~Nz6
z-Y-B*FMKt230~&%_X0YXkWjs#Cuol~(OCpybJ7jXE6FCV@Jf!vOqkFO+P(@)4)2};
z)c{Ja)>97vLnfBDmoDT1bQ8}<PXpL}fZS!{yO+Eay-c<+0c*OrxP+aLHAA%raL*1B
z>g<Cz5<m*VzwBVK+oKpbV+$^ap4UAG9junK)wk57^do36*sG-RYEALm{uu%s&yH7F
z1kT=gxInk%M^F!1NT6e9N^bvaN7t}1`2EhjRk7VuaPCo2C7`)_I0~Yh0A<BCctRZ4
zy;sCvAr<RE{Uwl$K}JJ^Zks|9F@~}MAk+sOd^)q!trb)UC@?n9`Dizm1Av(&=asW?
zg%E2UVO5lee)UDr4=$5@$hfgI0CKZvuq2oj@HnAv`2l!#SsRL*$nzswzk?av`>)c&
zt!~G0=$Wgncn2J%YuA@9-MeYo(WD0?iNA>xkOjeCUSwpL!u4BO#{Tt!U=<895JNrL
zggzQf3yYgDU_qo_heR;)N+6Mv$0#xGjyM45;5bNgi3EvIxCyL~Tpz)NQYcm8sbGCi
z5VW5$p=dSp_#4V5woK_L85nvT#eGi<jOa=wPx&>J0Q+`tL_rfETlUR^XwviW2%Qi;
z=sBn4Q|+4XeUkR+eZzn>Vs6w^OA+MO@PS|Qcv+u-LgJ08Q8v+k+>i!oZ<#xiIi3d7
zxxo7B`)#Hxo(|o-t0rWv3SE*ea7=hVjw!Dh8&z~8*l0Gp0(5Ty!Fs@q*cLx&GEd*D
z=0EKtgwG8ltdJ06qla%5^T!(M@}#o8HfM&;cC!-e7zT5(%$tEfn0pdA?jm``o;Y&6
zLCtZm++h76<wHxfu<Uxc*^l=}{|O$<SkEIPz%t>jKt;}%)de@ccTjU|1H^$0a_10I
zeXHFx=JSaLpK*9~!z>4EBV5TWm@xbeVCwRE?Uh~>Brj%@=d2QI^*CcKqAl2j5~-{L
z&Fxp(E<`j?z4=X3+2!No11X}k!WJ6$kZUM6V0PW~z*3Fz-xz0R*@VYD2fY5WLHg-V
z*eNI1)vMA5i9I3)hp>zWGq9mG{<UC7@RFGzH}ohzEAH(3IGuoaLJDL48YuH-fA0-6
zL&p-D;Gx5|S^nuS^SPj3^}qv-(n&7cjy6u_Vku4$4E~8Q5|Q|b`uvP5x{^^A-u5ND
zH3`uZ-^1;n)RIXKPB<IFr!moS07=-x<4=ikeR(|=4&eca1Z^&nT)empx@Xu$gC~%@
zpp)7zNmqKml7k8fBq2y^0K?E}T(+*;>EdmCA;n;3ZB0x_NWM`%^%*@$y}$y~^IQA-
zJi2c#)%#ZLk8m#ymu5iUnOoXM={t5Z@}i!-Zv}L&)@fjvWy{MXv*DrTuQd-OI^j{>
z_Q^XHOWfRa_OiKs`}Uw(vjzJ(t)TruqucVcf8!D$>6}vvGrslD0&Hw-upEFWqx8=Q
zp>u$KYXJE?z#&p!V@;)_HM>rLmRTw!RLBpA$YFu>1$Y?PUnsR3Kzdf@n-BFF;0DSB
zyvBJ*fKTDcf)@uIv;1*9?vrTLz6k~u^<{nSlEEVV=(`l~eu~RTQPaQodmRi7;Qke1
z=ge=W+joA)v1x<M=JISt+JM^Ybd3S4`=7jSHJ&0qphGo4Ajq%W-ll3Iu-U-+O0LUH
z@PKeedk~7H7o`Vb(CtbF7IC(k(Vy}HA)B&`%QlepHXO{}c4|z%P?AAl+REF116UOO
zJ`1%WHgkAy2|54*;&u{27+*qW3IoCgD;E3G4U7a#4<A0_xz%_16A0{Jyy6i57&`i$
ztQyIn-cmJEMo-h112~7O3EqyiX-FU~1=pn_T7{Qb<!VPaFF>VGNGAx5LCS_=`%=)_
zd=))}CJ$7^=y%MZ%N#%EYu64Ou%J379Px+OU-k8A(Jq5{q6#P~NQvM1ZXM53cFckw
zqtikZ<eYvWJpf?S(bKB~Vp2mS0#d131l9`x<P;E(Q0&_XKyJ(eaHQc1$&itfa^Y%5
zTY<Wf5xvG8HZ^No<upZOrN3~Afs|C1VAF>P1+Qfr35C!Md7Kdde^dihK1eiRwyhX~
zJbw;4n7)r8ufC?*RkInXs}ufe2M1k>8&J!i&m0E$s=g8l8TwAO)>l|^01VU+9sgYQ
zpSXmaz64r9S?1qRYT9@b;o+fqW#FT&H`8DkbrOVgw2{q_qtmk#b2fn?MKc&c!~zx>
zKxrub5gH2m{>gy+DbJ7T99uB%pP7o>1(dhpwKKHpLRN2kbaE2p_+LQ=?%yV7f`x_`
z#BfhtM%;z`JN?OX>zU%i<fYV8+mtalFK|kNN|B0>X@A|&NN%-K4#FOSH?NI2^L}n`
z5BWc~$+1G=<JYfC_vf5#QA>OysR``GM<h%D+W7G-Yk(H;5HN-a7T~cM3_8H@#&P5z
maL1e==m@F}97HSs&tJ1ICwwX2^+w<(GzL#sKbLh*2~7Y#XlPIX

literal 0
HcmV?d00001

diff --git a/assets/JWTCSA/jwks.puml b/assets/JWTCSA/jwks.puml
new file mode 100644
index 0000000000..feae844b3d
--- /dev/null
+++ b/assets/JWTCSA/jwks.puml
@@ -0,0 +1,19 @@
+@startuml
+
+() request as "Request to \n"".well-known/jwks.json"""
+
+node api1 as "API 1"
+node api2 as "API 2"
+node api3 as "API 3"
+node api4 as "API 4"
+database redis as "Redis (Or other DB)"
+
+api1 --> redis : Pub (S)
+api2 --> redis : Pub (S)
+api3 --> redis : Pub (S)
+api4 --> redis : Pub (S)
+
+request --> api4 : ""{"keys":[\n\t\t{"kid": "kidnode1"...},\n\t\t{"kid": "kidnode2"...},\n\t\t{"kid": "kidnode3"...},\n\t\t{"kid": "kidnode4"...}\n]}""
+api4 <-- redis : Read all Public Keys
+
+@enduml
diff --git a/cheatsheets/JWT_Cheat_Sheet.md b/cheatsheets/JWT_Cheat_Sheet.md
index 240569184c..b71459e9e2 100644
--- a/cheatsheets/JWT_Cheat_Sheet.md
+++ b/cheatsheets/JWT_Cheat_Sheet.md
@@ -23,6 +23,24 @@ This token is created during authentication (is provided in case of successful a
  all of this in a stateless and portable approach (portable in the way that client and server technologies can be
  different including also the transport channel even if HTTP is the most often used).
 
+
+### Verification
+
+Your application, absolutely should verify that the tokens it recieves are valid. You can do this with a symmetric scheme, where
+a secret between all parties out of band. For more on how to manage secrets please refer to the [secrets management cheat sheet](Secrets_Management_Cheat_Sheet.md). Or you can use an asymmetric key to signe your tokens.  you have the option of signing your
+tokens with a centrally signed certificate but, a system [Json Web Key Sets](https://datatracker.ietf.org/doc/html/rfc7517) a
+reasonably well supported system that integrates well with most JWT libraries and allows you the benefits of asymmetric encryption
+while being able to take advantage of modern TLS solutions that prevent your application from needing access to the same certificate
+that's encrypting traffic in transit. There are concerns on how to do this with multi-node systems; but in general use of a data
+store like redis can be used to keep track of the largely ephemeral keys you would create.
+
+![JWKS Multi-Node](../assets/JWTCSA/jwks.png)
+
+### JWKS Startup Examples
+
+=== "Python Example (`jwcrypto`)"
+    --8<-- "JWTCSA/1-jwks.md:jwcrypto"
+
 ## Token Structure
 
 Token structure example taken from [JWT.IO](https://jwt.io/#debugger):
@@ -177,7 +195,13 @@ Use a publicly signed certificate to sign jwts and check for certificate revocat
 
 ### Validate Common Claims
 
-TODO
+So you have a REST or similar api, it accepts JWTs. How to you validate both A, that the jwt is who it says it's from and B, that
+the things in the JWT are nominally "correct". There's a couple of options..
+
+#### Identity Verification Symmetric vs. Asymmetric
+
+
+
 
 ### Implement Buisness Logic post Validation
 

From cc26767e5d081905aacaef3023519a8615f7ccb9 Mon Sep 17 00:00:00 2001
From: Christopher Halbersma <chris@halbersma.us>
Date: Sat, 28 Oct 2023 22:25:11 -0700
Subject: [PATCH 4/4] Updating Cheat Sheet

---
 Index.md                        | 42 +++++++++++++++++----------------
 assets/JWTCSA/0-verification.md |  5 ++++
 assets/JWTCSA/1-jwks.md         |  5 ++++
 cheatsheets/JWT_Cheat_Sheet.md  | 14 ++++++++---
 4 files changed, 43 insertions(+), 23 deletions(-)

diff --git a/Index.md b/Index.md
index 3ebf9540fd..6e5ab67a37 100644
--- a/Index.md
+++ b/Index.md
@@ -1,6 +1,6 @@
 # Index Alphabetical
 
-**86** cheat sheets available.
+**87** cheat sheets available.
 
 *Icons beside the cheat sheet name indicate in which language(s) code snippet(s) are provided.*
 
@@ -12,8 +12,6 @@
 
 [Abuse Case Cheat Sheet](cheatsheets/Abuse_Case_Cheat_Sheet.md).
 
-[Access Control Cheat Sheet](cheatsheets/Access_Control_Cheat_Sheet.md).
-
 [Attack Surface Analysis Cheat Sheet](cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.md).
 
 [Authentication Cheat Sheet](cheatsheets/Authentication_Cheat_Sheet.md).
@@ -22,6 +20,8 @@
 
 [Authorization Testing Automation Cheat Sheet](cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) 
 
+[Access Control Cheat Sheet](cheatsheets/Access_Control_Cheat_Sheet.md).
+
 ## B
 
 [Bean Validation Cheat Sheet](cheatsheets/Bean_Validation_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) 
@@ -34,10 +34,10 @@
 
 [Clickjacking Defense Cheat Sheet](cheatsheets/Clickjacking_Defense_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
 
-[Content Security Policy Cheat Sheet](cheatsheets/Content_Security_Policy_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
-
 [Credential Stuffing Prevention Cheat Sheet](cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.md).
 
+[Content Security Policy Cheat Sheet](cheatsheets/Content_Security_Policy_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
+
 [Cross-Site Request Forgery Prevention Cheat Sheet](cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md). ![Html](assets/Index_Html.png) 
 
 [Cross Site Scripting Prevention Cheat Sheet](cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md). ![Html](assets/Index_Html.png) 
@@ -48,19 +48,19 @@
 
 [DOM Clobbering Prevention Cheat Sheet](cheatsheets/DOM_Clobbering_Prevention_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
 
-[DOM based XSS Prevention Cheat Sheet](cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
-
 [Database Security Cheat Sheet](cheatsheets/Database_Security_Cheat_Sheet.md).
 
 [Denial of Service Cheat Sheet](cheatsheets/Denial_of_Service_Cheat_Sheet.md).
 
-[Deserialization Cheat Sheet](cheatsheets/Deserialization_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Python](assets/Index_Python.png) 
-
 [Django REST Framework Cheat Sheet](cheatsheets/Django_REST_Framework_Cheat_Sheet.md). ![Python](assets/Index_Python.png) 
 
 [Docker Security Cheat Sheet](cheatsheets/Docker_Security_Cheat_Sheet.md). ![Bash](assets/Index_Bash.png) 
 
-[DotNet Security Cheat Sheet](cheatsheets/DotNet_Security_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Csharp](assets/Index_Csharp.png) ![Html](assets/Index_Html.png) ![Xml](assets/Index_Xml.png) ![Sql](assets/Index_Sql.png) 
+[DOM based XSS Prevention Cheat Sheet](cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
+
+[Deserialization Cheat Sheet](cheatsheets/Deserialization_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Python](assets/Index_Python.png) 
+
+[DotNet Security Cheat Sheet](cheatsheets/DotNet_Security_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Csharp](assets/Index_Csharp.png) ![Html](assets/Index_Html.png) ![Xml](assets/Index_Xml.png) 
 
 ## E
 
@@ -118,20 +118,22 @@
 
 [Laravel Cheat Sheet](cheatsheets/Laravel_Cheat_Sheet.md). ![Html](assets/Index_Html.png) ![Php](assets/Index_Php.png) ![Sql](assets/Index_Sql.png) ![Bash](assets/Index_Bash.png) 
 
-[Logging Cheat Sheet](cheatsheets/Logging_Cheat_Sheet.md).
-
 [Logging Vocabulary Cheat Sheet](cheatsheets/Logging_Vocabulary_Cheat_Sheet.md).
 
+[Logging Cheat Sheet](cheatsheets/Logging_Cheat_Sheet.md).
+
 ## M
 
 [Mass Assignment Cheat Sheet](cheatsheets/Mass_Assignment_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Java](assets/Index_Java.png) ![Html](assets/Index_Html.png) ![Php](assets/Index_Php.png) 
 
-[Microservices Security Cheat Sheet](cheatsheets/Microservices_Security_Cheat_Sheet.md).
-
 [Microservices based Security Arch Doc Cheat Sheet](cheatsheets/Microservices_based_Security_Arch_Doc_Cheat_Sheet.md).
 
 [Multifactor Authentication Cheat Sheet](cheatsheets/Multifactor_Authentication_Cheat_Sheet.md).
 
+[Microservices Security Cheat Sheet](cheatsheets/Microservices_Security_Cheat_Sheet.md).
+
+[Mobile Application Security Cheat Sheet](cheatsheets/Mobile_Application_Security_Cheat_Sheet.md).
+
 ## N
 
 [NPM Security Cheat Sheet](cheatsheets/NPM_Security_Cheat_Sheet.md).
@@ -164,10 +166,10 @@
 
 [REST Assessment Cheat Sheet](cheatsheets/REST_Assessment_Cheat_Sheet.md).
 
-[REST Security Cheat Sheet](cheatsheets/REST_Security_Cheat_Sheet.md).
-
 [Ruby on Rails Cheat Sheet](cheatsheets/Ruby_on_Rails_Cheat_Sheet.md). ![Html](assets/Index_Html.png) ![Ruby](assets/Index_Ruby.png) ![Bash](assets/Index_Bash.png) 
 
+[REST Security Cheat Sheet](cheatsheets/REST_Security_Cheat_Sheet.md).
+
 ## S
 
 [SAML Security Cheat Sheet](cheatsheets/SAML_Security_Cheat_Sheet.md).
@@ -176,14 +178,14 @@
 
 [Secrets Management Cheat Sheet](cheatsheets/Secrets_Management_Cheat_Sheet.md).
 
-[Secure Cloud Architecture Cheat Sheet](cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet.md).
-
 [Secure Product Design Cheat Sheet](cheatsheets/Secure_Product_Design_Cheat_Sheet.md).
 
 [Securing Cascading Style Sheets Cheat Sheet](cheatsheets/Securing_Cascading_Style_Sheets_Cheat_Sheet.md).
 
 [Server Side Request Forgery Prevention Cheat Sheet](cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Python](assets/Index_Python.png) ![Ruby](assets/Index_Ruby.png) ![Bash](assets/Index_Bash.png) 
 
+[Secure Cloud Architecture Cheat Sheet](cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet.md).
+
 [Session Management Cheat Sheet](cheatsheets/Session_Management_Cheat_Sheet.md).
 
 ## T
@@ -218,10 +220,10 @@
 
 ## X
 
-[XML External Entity Prevention Cheat Sheet](cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Cpp](assets/Index_Cpp.png) ![Php](assets/Index_Php.png) 
-
 [XML Security Cheat Sheet](cheatsheets/XML_Security_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Xml](assets/Index_Xml.png) ![Bash](assets/Index_Bash.png) 
 
 [XSS Filter Evasion Cheat Sheet](cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.md). ![Html](assets/Index_Html.png) ![Php](assets/Index_Php.png) 
 
 [XS Leaks Cheat Sheet](cheatsheets/XS_Leaks_Cheat_Sheet.md). ![Javascript](assets/Index_Javascript.png) ![Html](assets/Index_Html.png) 
+
+[XML External Entity Prevention Cheat Sheet](cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md). ![Java](assets/Index_Java.png) ![Csharp](assets/Index_Csharp.png) ![Cpp](assets/Index_Cpp.png) ![Php](assets/Index_Php.png) 
diff --git a/assets/JWTCSA/0-verification.md b/assets/JWTCSA/0-verification.md
index dd0543a812..bd9200cc2f 100644
--- a/assets/JWTCSA/0-verification.md
+++ b/assets/JWTCSA/0-verification.md
@@ -1,3 +1,8 @@
+---
+search:
+  exclude: true
+---
+
 # Verification
 
 ## `None` Examples
diff --git a/assets/JWTCSA/1-jwks.md b/assets/JWTCSA/1-jwks.md
index c32ac4a4f6..83abb4b738 100644
--- a/assets/JWTCSA/1-jwks.md
+++ b/assets/JWTCSA/1-jwks.md
@@ -1,3 +1,8 @@
+---
+search:
+  exclude: true
+---
+
 # JWKS
 
 ## Generating a JWKS Key
diff --git a/cheatsheets/JWT_Cheat_Sheet.md b/cheatsheets/JWT_Cheat_Sheet.md
index b71459e9e2..3bfd0c5503 100644
--- a/cheatsheets/JWT_Cheat_Sheet.md
+++ b/cheatsheets/JWT_Cheat_Sheet.md
@@ -198,15 +198,23 @@ Use a publicly signed certificate to sign jwts and check for certificate revocat
 So you have a REST or similar api, it accepts JWTs. How to you validate both A, that the jwt is who it says it's from and B, that
 the things in the JWT are nominally "correct". There's a couple of options..
 
-#### Identity Verification Symmetric vs. Asymmetric
-
-
+We'd like to see the following claims be included in our standard:
 
+| Claim | Name | Example |
+|:------|:-----|:-------------------|
+| `iss` | Issuer Claim | `requestingapplication.example.com` |
+| `sub` | Subject Claim | * `user@application.example.com`<br>* `system`<br>* `user@useremail.com`|
+| `aud` | Audience Claim | `targetapplication.example.com` |
+| `exp` | Expiration Time Claim | unix timestamp |
+| `nbf` | Not Before Claim | unix timestamp |
+| `iat` | Issued At Claim | unix timestamp |
 
 ### Implement Buisness Logic post Validation
 
 TODO
 
+Discuss a moving target towards OIDC claims.
+
 ## Further Reading
 
 - [{JWT}.{Attack}.Playbook](https://github.com/ticarpi/jwt_tool/wiki) - A project documents the known attacks and potential security vulnerabilities and misconfigurations of JSON Web Tokens.