Usage of weak encryption algorithm in JWT
- Rule ID: python_django_jwt_weak_encryption
- Languages: python
- Source: jwt_weak_encryption.yml
Description
Implementing weak encryption algorithms in JWT (JSON Web Tokens) compromises the security of the tokens. This vulnerability occurs when an encryption algorithm that does not offer sufficient security strength is used, making the tokens susceptible to attacks.
Remediations
- Do use robust encryption algorithms recommended for JWT. HS256 (HMAC with SHA-256) is a secure choice for signing JWTs.
SIMPLE_JWT = {
"ALGORITHM": "HS256"
}
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=python_django_jwt_weak_encryption
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=python_django_jwt_weak_encryption