Ensure JWT use an algorithm

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: ruby-security/jwt-algorithm-none

Language: Ruby

Severity: Warning

Category: Security

CWE: 327

Description

The rule “Ensure JWT use an algorithm” is important because it checks whether your JSON Web Tokens (JWT) are using a secure encryption algorithm. JWT is a compact, URL-safe means of representing claims to be transferred between two parties. However, if a JWT is encoded without a secure algorithm, it can be easily manipulated and decoded, compromising the security of the data it carries.

The ’none’ algorithm is a security vulnerability as it allows a token to be validated without any signature. This means anyone can create a valid token.

To avoid this, always specify a secure algorithm when encoding a JWT. For instance, ‘HS256’ is a commonly used, secure algorithm. In Ruby, when using the JWT.encode method, the third parameter should be a secure algorithm, such as ‘HS256’. For example: jwt_token = JWT.encode content, nil, 'HS256'. Never use ’none’ as the algorithm. This will ensure the integrity and confidentiality of your JWTs.

Non-Compliant Code Examples

jwt_token = JWT.encode content, nil, 'none'

Compliant Code Examples

jwt_token = JWT.encode content, nil, 'HS256'
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis