A pentest reports your API accepts JWTs with `alg: none`. What's the impact and fix?
Short answer
`alg: none` lets anyone craft a valid-looking unsigned token and impersonate any user — a full authentication bypass, not a minor finding. Fix it by allow-listing the expected algorithms server-side and always verifying the signature with the right key; never trust the token's own alg header to pick the verification method. Longer expiry or moving where the token is stored does nothing about forged, unsigned tokens. This is critical and exploitable, so document is not a fix.
A JWT's security comes entirely from its signature. The header's alg field tells a verifier which algorithm was used — but if the server trusts that field and none is allowed, it skips signature verification entirely. An attacker then sends a token with the header {"alg":"none"}, any payload they like (for example a different sub or an admin role), and an empty signature. The server treats it as valid.
Why this is critical, not cosmetic
This is a complete authentication bypass. The attacker doesn't need to crack a key or guess a secret — they simply assert who they are and the server believes them. They can impersonate any user, including administrators, with a token they forged in seconds. That is the highest-severity outcome an auth system can have, so the "low impact, document it" option is dangerously wrong.
The correct fix
- Allow-list the expected algorithms server-side (e.g. only
RS256). Reject anything else, and explicitly rejectnone. - Always verify the signature against the correct key before reading any claim.
- Never let the token's own
algheader select the verification path. Decoupling trust from attacker-controlled input also blocks the related algorithm-confusion attack, where a token is switched fromRS256toHS256so the public key is misused as an HMAC secret.
Why the distractors fail
- Longer expiry changes how long a legitimate token lives; it does nothing about tokens that were never validly signed.
- Moving the token into a cookie affects transport and XSS/CSRF exposure, not whether a forged unsigned token is accepted.
What the interviewer is probing
Whether you grasp that the signature is the entire trust anchor, can articulate the bypass clearly, and reach for a server-side algorithm allow-list with mandatory verification — the kind of judgment expected of a senior AppSec engineer.
Likely follow-ups
- How does the related `RS256`-to-`HS256` confusion attack work, and how do you prevent it?
- Where should the algorithm allow-list live, and why must it be server-side?
- How would you detect attempted `alg: none` forgeries in your logs?