Ensure JWT use an algorithm

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: ruby-security/jwt-algorithm-none

Language: Ruby

Severity: Warning

Category: Security

CWE: 327

Description

The rule “Ensure JWT use an algorithm” is important because it checks whether your JSON Web Tokens (JWT) are using a secure encryption algorithm. JWT is a compact, URL-safe means of representing claims to be transferred between two parties. However, if a JWT is encoded without a secure algorithm, it can be easily manipulated and decoded, compromising the security of the data it carries.

The ’none’ algorithm is a security vulnerability as it allows a token to be validated without any signature. This means anyone can create a valid token.

To avoid this, always specify a secure algorithm when encoding a JWT. For instance, ‘HS256’ is a commonly used, secure algorithm. In Ruby, when using the JWT.encode method, the third parameter should be a secure algorithm, such as ‘HS256’. For example: jwt_token = JWT.encode content, nil, 'HS256'. Never use ’none’ as the algorithm. This will ensure the integrity and confidentiality of your JWTs.

Non-Compliant Code Examples

jwt_token = JWT.encode content, nil, 'none'

Compliant Code Examples

jwt_token = JWT.encode content, nil, 'HS256'
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis