Skip to content
Iron Codex logoIRON-CODEXCYBERSECURITY
Cybersecurity › Application Security › API Security

JWT Token Security

JWT Token Security

JSON Web Tokens (JWTs) are commonly used as bearer tokens, but misconfigurations can lead to complete authentication bypasses.

The 'None' Algorithm Vulnerability

Attackers can manipulate the JWT header, changing the algorithm (alg) to none. If the backend library does not strictly enforce the expected algorithm, it will accept the unsigned token as valid, allowing the attacker to spoof any user ID.
  • Always enforce the algorithm (e.g., RS256 or HS256) during verification.
  • Verify the iss (Issuer), aud (Audience), and exp (Expiration) claims.
  • Use RS256 (asymmetric) over HS256 (symmetric) if the token must be validated by multiple microservices, allowing them to verify it using a public JWKS endpoint without sharing a secret key.