Fix JWT Vulnerabilities (Weak Signing, None Algo) in Nuxt
JWT implementation in Nuxt/Nitro is a common fail point for developers who prioritize speed over security. The 'None' algorithm exploit and weak signing keys are the low-hanging fruit of auth bypasses. This guide demonstrates how to harden your server routes by enforcing strict algorithm whitelisting and utilizing environment-backed secrets.
The Vulnerable Pattern
import jwt from 'jsonwebtoken';// VULNERABLE: server/api/me.get.ts export default defineEventHandler(async (event) => { const authHeader = getHeader(event, ‘authorization’); if (!authHeader) return { error: ‘Unauthorized’ };
const token = authHeader.split(’ ’)[1];
// VULNERABILITY 1: Weak hardcoded secret // VULNERABILITY 2: No algorithm restriction (permits ‘none’ or ‘HS256’ when ‘RS256’ is expected) const decoded = jwt.verify(token, ‘secret-key-123’);
return { user: decoded }; });
The Secure Implementation
The vulnerable snippet fails because it trusts the 'alg' header provided by the client. An attacker can change the header to 'none', remove the signature, and the library may accept it as valid if not explicitly restricted. Furthermore, hardcoded secrets are easily extracted via source control leaks. The secure version enforces the 'HS256' algorithm, ensuring that even if an attacker provides a 'none' token, the library rejects it. It also uses Nuxt's 'useRuntimeConfig' to pull secrets from secured environment variables and wraps the logic in a try-catch block to prevent sensitive stack traces from leaking to the client.
import jwt from 'jsonwebtoken';// SECURE: server/api/me.get.ts export default defineEventHandler(async (event) => { const config = useRuntimeConfig(); const authHeader = getHeader(event, ‘authorization’);
if (!authHeader?.startsWith(‘Bearer ’)) { throw createError({ statusCode: 401, statusMessage: ‘Missing or invalid token’ }); }
const token = authHeader.split(’ ’)[1];
try { // FIX 1: Use a high-entropy secret from runtime config (env variables) // FIX 2: Explicitly whitelist the expected algorithm to prevent ‘none’ bypass const decoded = jwt.verify(token, config.jwtSecret, { algorithms: [‘HS256’], issuer: ‘your-app-domain’ });
return { user: decoded };
} catch (err) { throw createError({ statusCode: 401, statusMessage: ‘Token validation failed’ }); } });
Your Nuxt API
might be exposed to JWT Vulnerabilities (Weak Signing, None Algo)
74% of Nuxt apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.