Fix JWT Vulnerabilities (Weak Signing, None Algo) in Express
JWT implementation flaws like the 'none' algorithm and weak signing keys are classic vulnerabilities that allow full account takeover. If you aren't explicitly whitelisting algorithms or using cryptographically secure secrets, your application is a playground for attackers. Here is how to stop being low-hanging fruit.
The Vulnerable Pattern
const jwt = require('jsonwebtoken');// VULNERABILITY 1: Weak/Hardcoded Secret const secret = ‘super-secret-123’;
app.post(‘/login’, (req, res) => { // VULNERABILITY 2: No algorithm specified during signing const token = jwt.sign({ user: ‘admin’ }, secret); res.json({ token }); });
app.get(‘/admin’, (req, res) => { const token = req.headers[‘authorization’]; // VULNERABILITY 3: Verification without algorithm constraints // This can be susceptible to ‘none’ algorithm or HS256/RS256 confusion const decoded = jwt.verify(token, secret); res.send(decoded); });
The Secure Implementation
The 'none' algorithm vulnerability allows an attacker to bypass authentication by providing a JWT with the 'alg' header set to 'none' and removing the signature portion. While modern libraries mitigate this by default, explicit whitelisting using the 'algorithms' array is the only way to ensure defense-in-depth against protocol downgrade attacks (e.g., forcing an RS256-configured server to use HS256 with the public key as the secret). Additionally, weak secrets enable offline brute-force attacks using tools like Hashcat. Always use secrets with at least 256 bits of entropy and rotate them regularly.
const jwt = require('jsonwebtoken'); require('dotenv').config();// FIX 1: Use a high-entropy secret from environment variables const JWT_SECRET = process.env.JWT_SECRET;
app.post(‘/login’, (req, res) => { // FIX 2: Explicitly define a strong signing algorithm const token = jwt.sign({ user: ‘admin’ }, JWT_SECRET, { algorithm: ‘HS256’, expiresIn: ‘1h’ }); res.json({ token }); });
app.get(‘/admin’, (req, res) => { try { const authHeader = req.headers[‘authorization’]; const token = authHeader && authHeader.split(’ ’)[1];
// FIX 3: Force algorithm whitelisting during verification // This strictly rejects the 'none' algorithm and prevents downgrade attacks const decoded = jwt.verify(token, JWT_SECRET, { algorithms: ['HS256'] }); res.send(decoded);
} catch (err) { res.status(401).send(‘Unauthorized: Invalid or expired token’); } });
Your Express API
might be exposed to JWT Vulnerabilities (Weak Signing, None Algo)
74% of Express apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.