DEV Community


Discussion on: Use JSON Web Tokens to Make a Secure Web App

franky47 profile image
François Best • Edited

Security tip when working with JWTs: always specify which algorithms you accept when verifying (and specify the same when signing).

This prevents an attacker from crafting an unsigned JWT (using algorithm: none) and accessing anybody's data.

There are a lot of supported algorithms, HS256 is a good minimum for symmetric verification (where the JWT secret is known by both the crafter and the verifyier, which are usually the same server).

Take a look at the documentation for the jsonwebtoken library for more information:

aumayeung profile image
John Au-Yeung Author

Yes. We should sign it so that we can verify if the JWT is authentic on production.