Ensure JWT signatures are verified

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: python-security/insecure-jwt

Language: Python

Severity: Notice

Category: Security

CWE: 287

Description

Use "verify_signature": False when decoding a JWT bypasses security and may authenticate users that should not be authenticated.

See Also

Non-Compliant Code Examples

import jwt

def insecure_verify(token):
    decoded = jwt.decode(token, verify=False)
    print decoded
    return True

import jwt

jwt.decode(encoded, options={"verify_signature": False})

Compliant Code Examples

import jwt

jwt.decode(encoded, bla={"verify_signature": False})

jwt.decode(encoded, options={"foobar": False})

import jwt

jwt.decode(encoded, options={"verify_signature": True})

jwt.decode(encoded, options={"verify_signature": False})
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis