JWT Header alg Field
Explore the JWT header alg (algorithm) field, all supported algorithm values, the critical 'none' algorithm vulnerability, and why explicit algorithm allowlists matter.
Detailed Explanation
The alg (algorithm) header parameter identifies the cryptographic algorithm used to secure the JWT. It is the only required field in the JWT header and is critical for both security and interoperability. The value determines how the server verifies (or creates) the token's signature.
Supported algorithm values:
The JSON Web Algorithms (JWA) specification (RFC 7518) defines several algorithm families:
| Algorithm | Type | Description |
|---|---|---|
| HS256, HS384, HS512 | Symmetric | HMAC with SHA-2 |
| RS256, RS384, RS512 | Asymmetric | RSASSA-PKCS1-v1_5 with SHA-2 |
| ES256, ES384, ES512 | Asymmetric | ECDSA with SHA-2 |
| PS256, PS384, PS512 | Asymmetric | RSASSA-PSS with SHA-2 |
| EdDSA | Asymmetric | Edwards-curve DSA (Ed25519/Ed448) |
| none | None | Unsecured JWT (no signature) |
The "none" algorithm vulnerability:
The "none" algorithm produces an unsecured JWT with no signature. It exists for contexts where integrity is guaranteed by other means (e.g., a TLS channel). However, if a server accepts the "none" algorithm from incoming tokens, an attacker can craft any payload, set alg to "none", and the server will accept it without signature verification. This was one of the first critical JWT vulnerabilities discovered and has affected numerous libraries.
// ATTACK: Attacker crafts this header
{ "alg": "none", "typ": "JWT" }
// Token: eyJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbiJ9.
// No signature needed!
Algorithm confusion attacks:
Another attack involves switching the algorithm. If a server is configured for RS256 (asymmetric), an attacker might change the header to HS256 (symmetric) and sign the token with the server's public key (which is publicly available). If the server uses the token's alg header to select the verification method, it will verify the HMAC using the public key as the secret, and the forged token passes verification.
Mandatory defense: algorithm allowlists:
Always configure your JWT library with an explicit list of accepted algorithms. Never allow the token itself to dictate which algorithm the server uses for verification. This single practice prevents both the "none" algorithm attack and algorithm confusion attacks.
// Always specify allowed algorithms
jwt.verify(token, key, { algorithms: ['RS256'] });
Use Case
A security engineer configures the API gateway to accept only RS256 tokens, preventing algorithm confusion attacks where attackers switch the header to HS256 or none.