Security tip when working with JWTs: always specify which algorithms you accept when verifying (and specify the same when signing).
This prevents an attacker from crafting an unsigned JWT (using algorithm: none) and accessing anybody's data.
There are a lot of supported algorithms, HS256 is a good minimum for symmetric verification (where the JWT secret is known by both the crafter and the verifyier, which are usually the same server).
Security tip when working with JWTs: always specify which algorithms you accept when verifying (and specify the same when signing).
This prevents an attacker from crafting an unsigned JWT (using
algorithm: none
) and accessing anybody's data.There are a lot of supported algorithms, HS256 is a good minimum for symmetric verification (where the JWT secret is known by both the crafter and the verifyier, which are usually the same server).
Take a look at the documentation for the
jsonwebtoken
library for more information:github.com/auth0/node-jsonwebtoken
Yes. We should sign it so that we can verify if the JWT is authentic on production.