JWT 'none' algorithm accepted
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
A JWT verify/sign configuration lists the 'none' algorithm, which accepts unsigned tokens and lets an attacker forge any claim.
Why it matters
The 'none' JWT algorithm means the token carries no signature, so the verifier accepts any payload it is handed. An attacker can take a real token, set the algorithm header to none, strip the signature, and rewrite the claims to become any user, including an admin. Libraries that allow none in their accepted-algorithm list defeat the entire point of signing tokens.
How to fix it
Pin verification to the exact asymmetric or symmetric algorithm you actually sign with, for example algorithms: ['RS256'] or ['HS256'], and never include 'none'. Reject tokens whose header algorithm is not in that list. If a library defaults to accepting any algorithm, pass the allowlist explicitly on every verify call.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo