Use default encryption from the JWT library

Docs > Code Analysis > Static Analysis Rules > Use default encryption from the JWT library

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: javascript-node-security/jwt-weak-encryption

Language: JavaScript

Severity: Warning

Category: Security

CWE: 327

Description

Do not use none as a validation algorithm for a JWT token. The none algorithm assumes that the token has been verified, which would allow attacker to create a token that would be automatically validated.

Never use the none algorithm, always use a valid algorithm as directed by the documentation.

Non-Compliant Code Examples

jwt.verify(token, secret, { algorithms: ['RS256', 'none'] }, func);
jwt.verify(token, secret, { algorithms: ['none', 'RS256'] }, func);

Compliant Code Examples

jwt.verify(token, secret, { algorithms: ['RS256', 'HS256'] }, func);