Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.authentication

Verify JWT signatures before trusting claims

Parsing JWTs with `jwt.Parse` and a nil keyfunc, `jwt.ParseUnverified`, or `jwt.Decode` skips signature verification and lets attackers forge tokens.

#Metadata

Rule ID
go.security.jwt-without-verification
Severity
high
Confidence
0.85
Languages
go
Presets
security, strict
Stability
experimental
Applies to
block
Tags
authentication, go, jwt, rules-catalog, security

#Why it matters

Trusting unverified JWTs allows attackers to impersonate users or escalate privileges by crafting tokens with arbitrary claims.

#Remediation

Provide a non-nil keyfunc to `jwt.Parse` (or `jwt.ParseWithClaims`) and validate the returned token's `.Valid` flag before reading claims.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/go/go.security.jwt-without-verification.rule.yaml.

Back to directoryOpen rule in repository