Do not sign JWTs with the none algorithm | Critiq Docs

#Metadata

Rule ID: ts.security.jwt-insecure-signing-algorithm
Severity: critical
Confidence: 0.95
Languages: javascript, typescript
Presets: recommended, security, strict
Stability: stable
Applies to: block
Tags: authentication, jwt, rules-catalog, security

#Why it matters

The none algorithm allows tokens to be accepted without verification, defeating authentication.

#Remediation

Require asymmetric or HMAC algorithms explicitly and reject none at signing and verification layers.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.jwt-insecure-signing-algorithm.rule.yaml.

Back to directory Open rule in repository