If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user
identities.
- Don’t use
none
algorithm to sign or verify the validity of a token.
- Don’t use a token without verifying its signature before.
Noncompliant Code Example
jsonwebtoken library:
const jwt = require('jsonwebtoken');
let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'none' }); // Noncompliant: 'none' cipher doesn't sign the JWT (no signature will be included)
jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['RS256', 'none'] }, callbackcheck); // Noncompliant: 'none' cipher should not be used when verifying JWT signature
Compliant Solution
jsonwebtoken library:
const jwt = require('jsonwebtoken');
let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'HS256' }); // Compliant
jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['HS256'] }, callbackcheck); // Compliant
See