Token Hardening · January 2025
Ban `alg: none` in every environment
Insecure JWT defaults creep into staging and test environments, then leak into production through misconfiguration. Here is how to keep unsigned tokens out of your stack.
Why `alg: none` exists
`alg: none` was defined for debugging and research. Attackers abuse it to bypass signature checks. If any component accepts such a token, an attacker can forge admin sessions.
Audit your toolchain
- Search source control for `jwt.decode` or `verify` calls that disable verification.
- Check CI/CD pipelines for environment variables that skip signature validation.
- Confirm that API gateways and reverse proxies enforce allowed algorithms.
Enforce safe algorithms
Configure libraries to accept only strong algorithms. For HMAC tokens, require HS256 or higher; for asymmetric tokens, prefer RS256 or ES256. Document the setting for every SDK.
Detection playbook
- Deploy canary tests that send `alg: none` tokens to staging endpoints.
- Alert immediately if any request returns 2xx.
- Block deploys until the check passes.
Automate with JWTSecrets
Our enterprise verifier maintains an allow list per service. It rejects unsigned tokens before they reach your application and logs the request for investigation.