Usage of weak encryption algorithm in JWT

Description

Use any default encryption algorithm jwt library provides

Remediations

Use the HS256 algorithm for JWT encryption

  jwt.sign({ "foo": "bar"}, process.env.JWT_SECRET, {
    algorithm: "HS256"
  })

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_jwt_weak_encryption

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_jwt_weak_encryption