Ensure JWT use an algorithm
ID: ruby-security/jwt-algorithm-none
Language: Ruby
Severity: Warning
Category: Security
CWE: 327
Description
The rule “Ensure JWT use an algorithm” is important because it checks whether your JSON Web Tokens (JWT) are using a secure encryption algorithm. JWT is a compact, URL-safe means of representing claims to be transferred between two parties. However, if a JWT is encoded without a secure algorithm, it can be easily manipulated and decoded, compromising the security of the data it carries.
The ’none’ algorithm is a security vulnerability as it allows a token to be validated without any signature. This means anyone can create a valid token.
To avoid this, always specify a secure algorithm when encoding a JWT. For instance, ‘HS256’ is a commonly used, secure algorithm. In Ruby, when using the JWT.encode
method, the third parameter should be a secure algorithm, such as ‘HS256’. For example: jwt_token = JWT.encode content, nil, 'HS256'
. Never use ’none’ as the algorithm. This will ensure the integrity and confidentiality of your JWTs.
Non-Compliant Code Examples
jwt_token = JWT.encode content, nil, 'none'
Compliant Code Examples
jwt_token = JWT.encode content, nil, 'HS256'