Use default encryption from the JWT library
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: javascript-node-security/jwt-weak-encryption
Language: JavaScript
Severity: Warning
Category: Security
CWE: 327
Description
Do not use none as a validation algorithm for a JWT token. The none algorithm assumes that the token has been verified, which would allow attacker to create a token that would be automatically validated.
Never use the none algorithm, always use a valid algorithm as directed by the documentation.
Non-Compliant Code Examples
jwt.verify(token, secret, { algorithms: ['RS256', 'none'] }, func);
jwt.verify(token, secret, { algorithms: ['none', 'RS256'] }, func);
Compliant Code Examples
jwt.verify(token, secret, { algorithms: ['RS256', 'HS256'] }, func);
