I am currently working in a e-commerce project in which i am designing the Server-Side of an API (in PHP on Laravel 5.5) while my two colleagues are designing the Android and Ios apps which will get all their data from my side.
The communication of sensitive and non-sensitive data will be done entirely via this API, but, being all of us relatively inexperienced, we have trouble in deciding whether it is safe or even necessary to encrypt all our exchanges with a key hard-coded and agreed upon during development, while using JWT.
I have looked far and wide for a clear consensus, but the process is already slightly confusing, and the expert-opinions seems to be divergent on points so refined that the consequences escape me completely.
Can anyone "security-savy" help us with the following questions ?
1) is using JWT safe on its own (provided we use 'common sense') ? i.e. Is it a respected standard among professionals ?
2) is using JWT considered 'good practice' for an app that will deal with payment information ?
3) is encrypting the JWT on the sender's side and decrypting on the recipient side safer ? Or are we just adding an extra layer here but leaving a door wide open there ?
4) Reading the Laravel 5.5 docs, i see that they offer the Passport plugin, Is this reliable to use for beginners ?
5) Most importantly, is there a source of reliable information concerning communication security, in the same way w3c is safekeeping the 'best practices' ?
Please feel free to correct the question itself. Thank you.
