Rules

13 Security Rules

Comprehensive coverage of JWT security including algorithm confusion, token validation, and CVE-specific vulnerabilities.

All Rules

Legend:RecommendedFixableSuggestionsWarns

Rule	💼	🔧	💡	⚠️	Docs
no-algorithm-confusion This rule detects algorithm confusion attacks where symmetric algorithms (HS256, HS384, HS512) are used with asymmetr...
no-algorithm-none This rule detects attempts to use the none algorithm which completely bypasses JWT signature verification
no-decode-without-verify The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
no-hardcoded-secret The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
no-sensitive-payload JWT payloads are NOT encrypted, only base64-encoded
no-timestamp-manipulation This rule detects noTimestamp: true which disables automatic iat (issued at) claim generation
no-weak-secret The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
require-algorithm-whitelist This rule enforces explicit algorithm specification in verify() calls
require-audience-validation The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
require-expiration The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
require-issued-at This rule ensures tokens have the iat claim for freshness validation
require-issuer-validation The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
require-max-age This rule mandates maxAge in verify operations

Showing 13 of 13 rules

Rules preventing algorithm confusion attacks (CVE-2022-23540) and ensuring proper algorithm whitelisting.

Rules requiring proper validation of audience, issuer, expiration, and issued-at claims.

Rules detecting hardcoded secrets and weak signing keys.

Rules preventing sensitive data exposure in JWT payloads.