If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user identities.

• Don't use none algorithm to sign or verify the validity of an algorithm.
• Don't use a token without verifying its signature before.

Noncompliant Code Example

jsonwebtoken library:

const jwt = require('jsonwebtoken');

let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'none' }); // Noncompliant: JWT should include a signature

jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['RS256', 'none'] }, callbackcheck); // Noncompliant: none algorithm should not be used when verifying JWT signature

Compliant Solution

jsonwebtoken library:

const jwt = require('jsonwebtoken');

let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'HS256' }); // Compliant

jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['HS256'] }, callbackcheck); // Compliant

See

• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• MITRE, CWE-347 - Improper Verification of Cryptographic Signature