Will It Vibe logoWill It Vibe?
CRYPTO-026High severity-15 points

JWT 'none' algorithm

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

Signing or accepting a JWT with the 'none' algorithm means the token has no signature, so anyone can forge one.

Why it matters

A JWT with alg set to 'none' carries no signature, so the server is trusting claims that anyone can write. If verification accepts 'none', an attacker forges a token that says they are an admin and the server believes it. This is one of the most exploited JWT misconfigurations.

How to fix it

Never sign with 'none', and pin the accepted algorithm on verification to the exact one you issue (for example HS256 or RS256) via an explicit allowlist. Reject any token whose header algorithm is not in that list. Keep the signing key in a secret store, and for RS256/ES256 verify with the public key only.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks