Weak JWT encryption detected

• Rule ID: javascript_lang_jwt_weak_encryption
• Languages: javascript
• Source: jwt_weak_encryption.yml

Description

Use any default encryption algorithm jwt library provides

Remediations

Use the HS256 algorithm for JWT encryption

  jwt.sign({ "foo": "bar"}, process.env.JWT_SECRET, {
    algorithm: "HS256"
  })

Resources

• OWASP weak encryption

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_jwt_weak_encryption

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_jwt_weak_encryption