Verify JWT signatures before trusting claims | Critiq Docs

#Metadata

Rule ID: rust.security.jwt-without-verification
Severity: high
Confidence: 0.85
Languages: rust
Presets: security, strict
Stability: experimental
Applies to: block
Tags: authentication, jwt, rules-catalog, rust, security

#Why it matters

Trusting unverified JWTs allows attackers to forge tokens with arbitrary claims.

#Remediation

Pass a `DecodingKey` to `decode` and validate claims with a strict `Validation` configuration.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/rust/rust.security.jwt-without-verification.rule.yaml.

Back to directory Open rule in repository