Use default encryption from the JWT library

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: javascript-node-security/jwt-weak-encryption

Language: JavaScript

Severity: Warning

Category: Security

CWE: 327

Description

Do not use none as a validation algorithm for a JWT token. The none algorithm assumes that the token has been verified, which would allow attacker to create a token that would be automatically validated.

Never use the none algorithm, always use a valid algorithm as directed by the documentation.

Non-Compliant Code Examples

jwt.verify(token, secret, { algorithms: ['RS256', 'none'] }, func);
jwt.verify(token, secret, { algorithms: ['none', 'RS256'] }, func);

Compliant Code Examples

jwt.verify(token, secret, { algorithms: ['RS256', 'HS256'] }, func);