Ensure JWT use an algorithm
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ID: ruby-security/jwt-algorithm-none
Language: Ruby
Severity: Warning
Category: Security
CWE: 327
Description
The rule “Ensure JWT use an algorithm” is important because it checks whether your JSON Web Tokens (JWT) are using a secure encryption algorithm. JWT is a compact, URL-safe means of representing claims to be transferred between two parties. However, if a JWT is encoded without a secure algorithm, it can be easily manipulated and decoded, compromising the security of the data it carries.
The ’none’ algorithm is a security vulnerability as it allows a token to be validated without any signature. This means anyone can create a valid token.
To avoid this, always specify a secure algorithm when encoding a JWT. For instance, ‘HS256’ is a commonly used, secure algorithm. In Ruby, when using the JWT.encode
method, the third parameter should be a secure algorithm, such as ‘HS256’. For example: jwt_token = JWT.encode content, nil, 'HS256'
. Never use ’none’ as the algorithm. This will ensure the integrity and confidentiality of your JWTs.
Non-Compliant Code Examples
jwt_token = JWT.encode content, nil, 'none'
Compliant Code Examples
jwt_token = JWT.encode content, nil, 'HS256'