JWT — Signed Claims, Carry-On Format

The JWT spec includes "alg": "none" meaning "no signature." Several libraries, in their early days, accepted it — passing an unsigned token through validation as if it were valid. Anyone with a text editor became an admin.

Defense: pin the expected algorithm. Don't accept whatever the token's header claims. Use libraries that require an explicit algorithm whitelist.

If the verifier accepts whatever alg the token claims, an attacker can take a token signed with RS256 (asymmetric), change alg to HS256 (symmetric), and sign it using the public key as the HMAC secret. Some libraries did this. The fix is the same: pin the algorithm.

Verifying the signature is necessary; it's not sufficient. Always validate:

• iss matches the expected issuer.
• aud matches your service.
• exp in the future, nbf in the past.
• iat reasonable (not far-future).

A signed token from another service that hasn't checked these is still an attack vector when accepted by yours.

JWT payloads are signed, not encrypted. Anyone who sees the token can decode the claims. PII, internal IDs, sensitive flags shouldn't be there unless you're using JWE (encrypted JWT).

A compromised JWT is valid until exp. Without server state you can't revoke it. Three mitigations:

• Keep access tokens short (minutes), refresh tokens server-side and revocable.
• Maintain a small, fast denylist of revoked jtis for high-value scenarios (logout, password change).
• Bind tokens to a key the client holds (DPoP, mTLS) so the token alone isn't enough.

localStorage is XSS-readable. One DOM XSS leaks every token in every session. Prefer HttpOnly cookies for browser-stored tokens, paired with a backend-for-frontend that proxies API calls. Modern guidance is unambiguous on this.

The kid header tells the verifier which key to use. Some libraries used it as a path or DB lookup — and attackers smuggled SQLi or path traversal through it. Treat kid as opaque, look it up against a fixed JWKS, never as a path.