Metadata

ID: ruby-security/jwt-algorithm-none

Language: Ruby

Severity: Warning

Category: Security

CWE: 327

Description

The rule “Ensure JWT use an algorithm” is important because it checks whether your JSON Web Tokens (JWT) are using a secure encryption algorithm. JWT is a compact, URL-safe means of representing claims to be transferred between two parties. However, if a JWT is encoded without a secure algorithm, it can be easily manipulated and decoded, compromising the security of the data it carries.

The ’none’ algorithm is a security vulnerability as it allows a token to be validated without any signature. This means anyone can create a valid token.

To avoid this, always specify a secure algorithm when encoding a JWT. For instance, ‘HS256’ is a commonly used, secure algorithm. In Ruby, when using the JWT.encode method, the third parameter should be a secure algorithm, such as ‘HS256’. For example: jwt_token = JWT.encode content, nil, 'HS256'. Never use ’none’ as the algorithm. This will ensure the integrity and confidentiality of your JWTs.

Non-Compliant Code Examples

jwt_token = JWT.encode content, nil, 'none'

Compliant Code Examples

jwt_token = JWT.encode content, nil, 'HS256'