Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.authentication

Verify JWT signatures before trusting claims

Decoding a JWT without verifying its signature allows attackers to forge tokens and impersonate users.

#Metadata

Rule ID
java.security.jwt-without-verification
Severity
high
Confidence
0.88
Languages
java
Presets
security, strict
Stability
stable
Applies to
block
Tags
authentication, java, jwt, rules-catalog, security

#Why it matters

Methods like `JWT.decode` and `Jwts.parser().parseClaimsJwt` do not check the cryptographic signature; downstream claims cannot be trusted.

#Remediation

Use `JWT.require(algorithm).build().verify(token)` or `Jwts.parser().setSigningKey(key).parseClaimsJws(token)` to authenticate the token before trusting claims.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.jwt-without-verification.rule.yaml.

Back to directoryOpen rule in repository