DEV Community: SHAHJAHAN MD. SWAJAN The latest articles on DEV Community by SHAHJAHAN MD. SWAJAN (@swajannn). https://dev.to/swajannn https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F393719%2Fc2e99e69-5b65-48f4-ad8c-2499c92f3ba9.png DEV Community: SHAHJAHAN MD. SWAJAN https://dev.to/swajannn en I Audited 12 Open Source Projects' JWT Implementations and Found the Same 6 Mistakes in All of Them SHAHJAHAN MD. SWAJAN Wed, 22 Apr 2026 19:37:47 +0000 https://dev.to/swajannn/i-audited-12-open-source-projects-jwt-implementations-and-found-the-same-6-mistakes-in-all-of-them-4058 https://dev.to/swajannn/i-audited-12-open-source-projects-jwt-implementations-and-found-the-same-6-mistakes-in-all-of-them-4058 <p>It started with a throwaway comment in a code review.</p> <p>I was scanning through a popular Node.js starter template on GitHub — one with over 4,000 stars, regularly featured in "best Express boilerplate" roundup articles. The kind of repo junior developers clone on day one and senior developers use as a starting point for new services. And buried inside <code>config/default.js</code>, I found this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">jwtSecret</span><span class="p">:</span> <span class="dl">"</span><span class="s2">secret</span><span class="dl">"</span><span class="p">,</span> <span class="na">jwtExpiry</span><span class="p">:</span> <span class="dl">"</span><span class="s2">7d</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> </code></pre> </div> <p>Not a placeholder. Not a comment warning you to change it. Just... <code>"secret"</code>. Shipped to production in thousands of forks.</p> <p>I closed the tab, then reopened it. Then I opened eleven more repos.</p> <p>What I found over the next few hours was not reassuring. The same class of mistakes appeared again and again — not just in beginner repos, but in widely-used templates, production starter kits, and even a few packages with active contributors who clearly knew what they were doing. JWT is one of those technologies where the happy path works fine and the failure modes are invisible until someone is already inside your system.</p> <p>Here are the six mistakes I found, what they look like in real code, why they matter, and how to fix them.</p> <h2> The 12 Repos: A Quick Note on Scope </h2> <p>To keep this constructive rather than a public callout, I'm not naming repositories directly. Instead I'll describe them by category. The sample included:</p> <ul> <li>3 Express + MongoDB boilerplates (2,000–8,000 stars each)</li> <li>2 NestJS starter kits</li> <li>2 full-stack Next.js templates with built-in auth</li> <li>1 Fastify REST API scaffold</li> <li>1 Node.js microservices example repo from a major cloud provider's tutorial series</li> <li>1 React Native + Node backend starter</li> <li>1 GraphQL + Apollo Server template</li> <li>1 open-source SaaS boilerplate with a paid tier All were JavaScript or TypeScript. All used <code>jsonwebtoken</code> or a thin wrapper around it. All had at least one of the six mistakes below. Eight had three or more.</li> </ul> <h2> Mistake 1 — The Hardcoded Static Secret </h2> <p><strong>Frequency: 10 of 12 repos</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// The most common pattern I found</span> <span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">jsonwebtoken</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">SECRET</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">mysecret123</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">generateToken</span><span class="p">(</span><span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="nx">userId</span> <span class="p">},</span> <span class="nx">SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1d</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">verifyToken</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Variations I encountered: <code>"secret"</code>, <code>"jwt_secret"</code>, <code>"your-secret-key"</code>, <code>"supersecret"</code>, <code>"changeme"</code>, and my personal favourite, <code>"TODO_REPLACE_THIS"</code> — which had not been replaced in any of the commits going back two years.</p> <p><strong>Why it's dangerous:</strong></p> <p>The security of HMAC-based JWT (HS256, HS384, HS512) depends entirely on the unpredictability of the secret. If an attacker knows or guesses the secret, they can forge any token — including <code>{ "role": "admin" }</code> tokens for users that don't exist.</p> <p>A string like <code>"mysecret123"</code> has roughly 65 bits of entropy in theory, but in practice it's a dictionary target. Security researchers maintain public lists of common JWT secrets scraped from GitHub, Stack Overflow, and tutorial sites. If your secret appears in that list — and <code>"secret"</code>, <code>"mysecret"</code>, and <code>"jwt_secret"</code> absolutely do — a brute-force attack with a modern GPU takes seconds, not years.</p> <p>For HS256, you need a minimum of 256 bits (32 bytes) of cryptographically random data. Not a memorable string. Not a UUID. Not your app name.</p> <p><strong>The fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Generate once using Node's crypto module</span> <span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">));</span> <span class="c1">// outputs: 3f2a1b9c4d8e7f6a... (64 hex chars = 256 bits)</span> </code></pre> </div> <p>Store this in an environment variable. Never in source code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// In production</span> <span class="kd">const</span> <span class="nx">SECRET</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">SECRET</span> <span class="o">||</span> <span class="nx">SECRET</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">32</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">JWT_SECRET must be set and at least 32 characters</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>If you need a production-grade 256-bit secret right now, <a href="https://jwtsecretgenerator.com/tools/jwt-secret-generator" rel="noopener noreferrer">jwtsecretgenerator.com/tools/jwt-secret-generator</a> generates one client-side using the Web Crypto API — nothing leaves your browser. It's the fastest way to get a properly random secret with zero server-side risk.</p> <h2> Mistake 2 — The <code>algorithm: "none"</code> Attack Surface </h2> <p><strong>Frequency: 7 of 12 repos</strong></p> <p>The classic JWT algorithm confusion attack. Here's the vulnerable pattern I found repeatedly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Vulnerable — no algorithm allowlist</span> <span class="kd">function</span> <span class="nf">verifyToken</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>An attacker who can intercept or modify a token can change the header from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HS256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"JWT"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"none"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"JWT"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Then strip the signature entirely. Older versions of some JWT libraries — and <code>jsonwebtoken</code> without explicit algorithm enforcement — will verify this token as valid, because a "none" algorithm means "no signature required." The attacker has just granted themselves any claims they want.</p> <p>Here's what a decoded <code>alg: none</code> attack payload looks like in practice:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">#</span><span class="w"> </span><span class="err">Header</span><span class="w"> </span><span class="err">(base</span><span class="mi">64</span><span class="err">url</span><span class="w"> </span><span class="err">decoded)</span><span class="w"> </span><span class="p">{</span><span class="nl">"alg"</span><span class="p">:</span><span class="s2">"none"</span><span class="p">,</span><span class="nl">"typ"</span><span class="p">:</span><span class="s2">"JWT"</span><span class="p">}</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Payload</span><span class="w"> </span><span class="err">(base</span><span class="mi">64</span><span class="err">url</span><span class="w"> </span><span class="err">decoded)</span><span class="w"> </span><span class="p">{</span><span class="nl">"userId"</span><span class="p">:</span><span class="s2">"1"</span><span class="p">,</span><span class="nl">"role"</span><span class="p">:</span><span class="s2">"admin"</span><span class="p">,</span><span class="nl">"iat"</span><span class="p">:</span><span class="mi">1714000000</span><span class="p">}</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Signature</span><span class="w"> </span><span class="err">(empty</span><span class="w"> </span><span class="err">string)</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Final</span><span class="w"> </span><span class="err">token</span><span class="w"> </span><span class="err">eyJhbGciOiJub</span><span class="mi">25</span><span class="err">lIiwidHlwIjoiSldUIn</span><span class="mi">0</span><span class="err">.eyJ</span><span class="mi">1</span><span class="err">c</span><span class="mi">2</span><span class="err">VySWQiOiIxIiwicm</span><span class="mi">9</span><span class="err">sZSI</span><span class="mi">6</span><span class="err">ImFkbWluIiwiaWF</span><span class="mi">0</span><span class="err">IjoxNzE</span><span class="mi">0</span><span class="err">MDAwMDAwfQ.</span><span class="w"> </span></code></pre> </div> <p><strong>The fix:</strong></p> <p>Always pass an explicit <code>algorithms</code> allowlist to <code>jwt.verify()</code>. This is not optional.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Safe — explicit algorithm allowlist</span> <span class="kd">function</span> <span class="nf">verifyToken</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">HS256</span><span class="dl">"</span><span class="p">],</span> <span class="c1">// NEVER include "none"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>If you use RS256 (asymmetric), explicitly allow only <code>["RS256"]</code>. Never use an empty array or omit the option entirely.</p> <h2> Mistake 3 — Secrets Committed to Git </h2> <p><strong>Frequency: 6 of 12 repos</strong></p> <p>A few repos had cleaned up their secrets into environment variables — but their Git history told a different story. You can search for this pattern yourself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># GitHub code search query (do not run on live repos you don't own) language:JavaScript "jwt.sign" "secret" NOT ".env" </code></pre> </div> <p>Results: tens of thousands of public files. Many are tutorials. Many are not.</p> <p>Here's the dangerous reality of Git history: even after you delete a secret from your codebase, it still exists in every commit before the deletion. Anyone who cloned the repo before you pushed the fix still has it. Anyone with access to GitHub's search can find it.</p> <p>I found this specific pattern in a repo with 3,000+ stars — a <code>.env.example</code> file that had been copy-pasted directly into <code>.env</code> and committed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .env (committed by mistake, later deleted — but still in git log)</span> <span class="nv">DATABASE_URL</span><span class="o">=</span>mongodb://localhost/myapp <span class="nv">JWT_SECRET</span><span class="o">=</span>f7k2j9x1_my_production_secret_do_not_share <span class="nv">STRIPE_SECRET_KEY</span><span class="o">=</span>sk_live_... </code></pre> </div> <p>The <code>sk_live_</code> key had already been rotated. The JWT secret had not.</p> <p><strong>The fix:</strong></p> <p>Add <code>.env</code> to <code>.gitignore</code> before your first commit. Always.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .gitignore</span> .env .env.local .env.production <span class="k">*</span>.pem </code></pre> </div> <p>If a secret is already in your history, rotation is mandatory — not optional.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Rotate immediately, then use git filter-repo to purge history</span> pip <span class="nb">install </span>git-filter-repo git filter-repo <span class="nt">--path</span> .env <span class="nt">--invert-paths</span> <span class="c"># Force push to all remotes (coordinate with your team first)</span> git push origin <span class="nt">--force</span> <span class="nt">--all</span> </code></pre> </div> <p>Then rotate the secret itself, invalidating all existing tokens.</p> <h2> Mistake 4 — Expiration (<code>exp</code>) Not Enforced </h2> <p><strong>Frequency: 5 of 12 repos</strong></p> <p>Signature verification and expiry validation are separate concerns. Some repos verify one and skip the other.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Subtly broken — verifies signature but issues tokens that never expire</span> <span class="kd">function</span> <span class="nf">generateToken</span><span class="p">(</span><span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// No expiresIn option!</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="nx">userId</span> <span class="p">},</span> <span class="nx">SECRET</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// And on the verification side, a custom decoder that only checks signature:</span> <span class="kd">function</span> <span class="nf">getUserFromToken</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="c1">// decode, not verify</span> <span class="k">if </span><span class="p">(</span><span class="nx">decoded</span> <span class="o">&amp;&amp;</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">userId</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><code>jwt.decode()</code> does not verify the signature. It does not check expiry. It literally just base64-decodes the payload. If your auth middleware calls <code>jwt.decode()</code> instead of <code>jwt.verify()</code>, your entire auth layer is bypassed.</p> <p>Even when <code>jwt.verify()</code> is used correctly, I found several repos that issued tokens with no <code>exp</code> claim at all. A token without <code>exp</code> never expires. Ever. If it leaks — in a log file, in a frontend error boundary, in a network request captured at a coffee shop — it's valid forever.</p> <p><strong>The fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Always set expiresIn</span> <span class="kd">function</span> <span class="nf">generateToken</span><span class="p">(</span><span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="nx">userId</span> <span class="p">},</span> <span class="nx">SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">15m</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// short-lived access tokens</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">"</span><span class="s2">HS256</span><span class="dl">"</span><span class="p">,</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Always use verify(), never decode() for auth</span> <span class="kd">function</span> <span class="nf">verifyToken</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">HS256</span><span class="dl">"</span><span class="p">],</span> <span class="c1">// clockTolerance: 30 (optional: allow 30s clock skew)</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>For most applications: access tokens at 15 minutes, refresh tokens at 7 days stored in an httpOnly cookie.</p> <h2> Mistake 5 — Signing and Verification With Different Secrets </h2> <p><strong>Frequency: 3 of 12 repos</strong></p> <p>This one is subtle and disproportionately common in microservice architectures. It surfaces as a maddening "invalid signature" error in production that works perfectly in development.</p> <p>Here's the pattern from a multi-service repo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// auth-service/src/token.js</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="nx">userId</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1d</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// api-gateway/src/middleware/auth.js</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_SECRET</span><span class="p">);</span> <span class="c1">// different env var name!</span> </code></pre> </div> <p>In <code>docker-compose.yml</code> for local development:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">auth-service</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">JWT_SECRET</span><span class="pi">:</span> <span class="s2">"</span><span class="s">dev-secret"</span> <span class="na">api-gateway</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">APP_SECRET</span><span class="pi">:</span> <span class="s2">"</span><span class="s">dev-secret"</span> <span class="c1"># same value locally, easy to miss</span> </code></pre> </div> <p>In production the values diverged. Someone set <code>APP_SECRET</code> to a new rotated value and didn't update <code>JWT_SECRET</code>. Tokens signed by auth-service became immediately invalid everywhere else.</p> <p><strong>The fix:</strong></p> <p>Standardize the environment variable name across all services. Use a shared secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler) so all services draw from a single source of truth.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Centralized config with validation — same module or same env var name across services</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">jwtSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">,</span> <span class="na">jwtAlgorithm</span><span class="p">:</span> <span class="dl">"</span><span class="s2">HS256</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="c1">// Validate at startup, not at runtime</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">config</span><span class="p">.</span><span class="nx">jwtSecret</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">JWT_SECRET is required</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">config</span><span class="p">;</span> </code></pre> </div> <p>And document which service signs, which services verify, and what the shared secret name is. Put it in your runbook.</p> <h2> Mistake 6 — Short Human-Readable Secrets With HS256 </h2> <p><strong>Frequency: 9 of 12 repos</strong></p> <p>This is the most insidious mistake because the code looks "fixed." The developer has moved the secret to an environment variable. They're not hardcoding it. They're being responsible. But the secret itself is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">JWT_SECRET</span><span class="p">=</span><span class="s">MyApp2024Secure!</span> </code></pre> </div> <p>Twelve characters. Entirely alphabetic with one symbol and a number. Memorable enough to type by hand.</p> <p>Here's the entropy problem: HS256 operates on raw bytes. The question is not how long the string looks — it's how many possible values it could be.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Character set for typical "memorable" passwords: - Lowercase letters: 26 - Uppercase letters: 26 - Digits: 10 - Common symbols: 32 Total: ~94 characters Entropy per character: log2(94) ≈ 6.5 bits A 12-character password: 12 × 6.5 = ~78 bits of entropy HS256 security requirement: 256 bits minimum Shortfall: 178 bits </code></pre> </div> <p>78 bits sounds like a lot until you realize that modern GPU clusters can crack bcrypt hashes at millions of attempts per second. JWT secrets are not bcrypt — they're HMAC-SHA256, which is orders of magnitude faster to brute force. Security researchers maintain curated dictionaries of common JWT secrets — "MyApp2024", company names, and any string that appears in public repos are all in there.</p> <p>If your secret is human-generated, it's a target. Full stop.</p> <p><strong>The fix:</strong></p> <p>Use a CSPRNG (Cryptographically Secure Pseudorandom Number Generator) to generate 256+ bits of entropy. The result will not be memorable. That's the point.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Node.js — run this once, save the output in your secrets manager</span> <span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// 32 bytes = 256 bits</span> <span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64url</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">secret</span><span class="p">);</span> <span class="c1">// Example output: 3Hs8dKj2mNpQrT5wXvYzAb7eGcFhIiJl (never use this specific value)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Or from the shell</span> node <span class="nt">-e</span> <span class="s2">"console.log(require('crypto').randomBytes(32).toString('base64url'))"</span> <span class="c"># Or with openssl</span> openssl rand <span class="nt">-base64</span> 32 </code></pre> </div> <p>The result looks like noise. It should. Store it in your secrets manager, inject it at runtime, rotate it when team members leave or secrets are suspected of compromise.</p> <h2> The Pre-Ship JWT Checklist </h2> <p>Before you deploy JWT-based auth, run through every item:</p> <p><strong>Secret quality</strong></p> <ul> <li>[ ] Secret is generated by a CSPRNG (not typed by a human)</li> <li>[ ] Secret is at least 32 bytes (256 bits) for HS256</li> <li>[ ] Secret is stored in a secrets manager or environment variable — never in code <strong>Code hygiene</strong> </li> <li>[ ] <code>.env</code> is in <code>.gitignore</code> and was never committed</li> <li>[ ] <code>git log</code> does not contain the secret in any historical commit</li> <li>[ ] <code>jwt.verify()</code> is used everywhere (never <code>jwt.decode()</code> for auth) <strong>Algorithm enforcement</strong> </li> <li>[ ] <code>algorithms</code> option is explicitly set in <code>jwt.verify()</code> </li> <li>[ ] <code>"none"</code> is not in the allowed algorithms list</li> <li>[ ] If using RS256/ES256, private key never leaves the signing service <strong>Token lifecycle</strong> </li> <li>[ ] All tokens have an <code>exp</code> claim (<code>expiresIn</code> option is set)</li> <li>[ ] Access token expiry is 15–60 minutes maximum</li> <li>[ ] Refresh tokens are stored in httpOnly cookies, not localStorage <strong>Multi-service safety</strong> </li> <li>[ ] All services use the same environment variable name for the JWT secret</li> <li>[ ] Secret is sourced from a shared secrets store, not per-service <code>.env</code> files</li> <li>[ ] Startup validation throws if <code>JWT_SECRET</code> is missing or too short</li> </ul> <h2> Closing Thought </h2> <p>None of these mistakes are exotic. They're copy-paste errors, tutorial leftovers, and configuration drift between environments. The reason they appear in repos with thousands of stars is the same reason they appear everywhere: JWT's happy path is completely invisible to security issues. The token works. Auth passes. Tests pass. Nothing breaks until someone exploits it.</p> <p>The most important item on the checklist is the first one. A CSPRNG-generated secret neutralizes most of the other risks at source — you can't brute force 256 bits of true randomness, even with excellent tooling. Get that right, enforce algorithm allowlists, and set expiry. The rest is defense in depth.</p> <p>If you want to generate a properly random secret right now without writing a script, <a href="https://jwtsecretgenerator.com" rel="noopener noreferrer">jwtsecretgenerator.com</a> does it entirely client-side with the Web Crypto API. No accounts, no logs, no network request for the key itself. Just a cryptographically sound secret ready to paste into your secrets manager.</p> <p><em>Found a mistake I missed? A 7th pattern that deserves to be on this list? Drop it in the comments — I'll update the post and credit you.</em></p> security jwt node webdev