JWT using insecure 'none' algorithm
Description
Using 'algorithm="none"' in JWT disables signature verification, which allows token forgery. Always use a secure algorithm like HS256 or RS256.
Examples
Insecure Code
python
jwt.encode(payload, "none")Secure Code
python
jwt.encode(payload, "HS256")Remediation
Replace 'none' with a secure algorithm like 'HS256' or 'RS256' in jwt.encode and jwt.decode functions.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0510 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | jwt, insecure algorithm |
| OWASP | A02:2021-Cryptographic Failures |