DEV Community

loading...

Discussion on: Use JSON Web Tokens to Make a Secure Web App

Collapse
franky47 profile image
François Best • Edited

Security tip when working with JWTs: always specify which algorithms you accept when verifying (and specify the same when signing).

This prevents an attacker from crafting an unsigned JWT (using algorithm: none) and accessing anybody's data.

There are a lot of supported algorithms, HS256 is a good minimum for symmetric verification (where the JWT secret is known by both the crafter and the verifyier, which are usually the same server).

Take a look at the documentation for the jsonwebtoken library for more information:
github.com/auth0/node-jsonwebtoken

Collapse
aumayeung profile image
John Au-Yeung Author

Yes. We should sign it so that we can verify if the JWT is authentic on production.