New
Introducing React Bench, see how different models perform on React code

react-doctor/jwt-insecure-verification

JWT verified with the 'none' algorithm

  • Category: Security
  • Severity: error
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: always
  • Tags: security-scan
  • Default: Enabled

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Confirm the reported code matches JWT verified with the 'none' algorithm. Check the framework context and diagnostic message before suppressing it.

Fix prompt

Use this once validation confirms the diagnostic is real.

Never accept the none algorithm; it disables signature verification and lets any forged token through. Pin the real algorithm(s) explicitly (jwt.verify(token, key, { algorithms: ['RS256'] })).

More Security rules from the rules reference: