JWT Security Issues
The JWT standard and implementations exhibit a number of security related issues
JWT Security Issues Security concerns Signature Stripping A malicious party can simply strip the signature, remove the encryption algorithm header so it seems no signature is provided, and then go ahead and alter the payload. If the client does not explicitly require a signature to validate against, this would be a valid, unsigned JWT. Remedy: Always require a signature by failing validation if no signature is present; this must be the very first thing in the processing of the request, so no further processing can take place.
