How to Fix JWT Vulnerabilities in Express
Learn how to prevent and fix JWT Vulnerabilities vulnerabilities in Express applications. Step-by-step guide with code examples, security checklists, and best practices.
What Is JWT Vulnerabilities?
JSON Web Tokens (JWTs) are a compact, URL-safe method for representing claims to be transferred between two parties. JWT vulnerabilities arise from improper implementation, validation, or management of these tokens. Because JWTs are widely used for authentication and authorization in modern web applications, these vulnerabilities can have critical security implications.
Common JWT vulnerabilities include: Algorithm Confusion attacks, where an attacker changes the token's algorithm header from RS256 (asymmetric) to HS256 (symmetric) and signs it with the public key; accepting tokens with the "none" algorithm, allowing unsigned tokens; insufficient signature validation or skipping validation entirely; using weak secrets for HMAC signing; not validating claims like `exp` (expiration), `iss` (issuer), or `aud` (audience); storing tokens insecurely (localStorage in XSS-vulnerable applications); and not implementing proper token revocation.
Supabase and many modern auth providers use JWTs as access tokens. While the providers handle token creation securely, applications that manually verify, decode, or extend JWT functionality can introduce vulnerabilities. Custom middleware that parses JWTs without proper validation is a frequent source of issues.
Why It Matters
JWTs are the primary authentication mechanism for many modern applications and APIs. A compromised JWT gives an attacker the same access as the legitimate user, including any roles or permissions encoded in the token. Unlike session-based authentication where the server can immediately invalidate a session, JWTs are stateless -- a compromised token remains valid until it expires. Algorithm confusion attacks can allow any user to forge tokens with arbitrary claims, including admin privileges. Leaked tokens stored in localStorage can be harvested through XSS vulnerabilities. Weak JWT secrets can be cracked offline using brute force tools.
How to Fix It in Express
Use asymmetric algorithms (RS256, ES256) rather than symmetric (HS256) for JWT signing. Explicitly specify the allowed algorithms when verifying tokens -- never let the token's header dictate the verification algorithm. Validate all relevant claims including expiration (`exp`), issuer (`iss`), audience (`aud`), and not-before (`nbf`). Use short expiration times (15 minutes for access tokens) with refresh token rotation. Store tokens in HttpOnly cookies rather than localStorage to prevent XSS-based theft. Implement token revocation using a deny list for sensitive operations. Use a strong, randomly generated secret of sufficient length (at least 256 bits for HS256). Rotate signing keys periodically and implement key rollover support.
Express-Specific Advice
- Use `helmet` middleware for setting security headers (CSP, HSTS, X-Frame-Options, etc.) with sensible defaults.
- Use `express-rate-limit` for rate limiting. Apply stricter limits to authentication endpoints and API routes.
- Always use parameterized queries with your database driver. Never concatenate user input into SQL strings.
- Validate request bodies using `express-validator`, Zod, or Joi middleware. Reject requests that do not match expected schemas.
Express Security Checklist for JWT Vulnerabilities
Express Security Best Practices
Use `helmet` middleware for setting security headers (CSP, HSTS, X-Frame-Options, etc.) with sensible defaults.
Use `express-rate-limit` for rate limiting. Apply stricter limits to authentication endpoints and API routes.
Always use parameterized queries with your database driver. Never concatenate user input into SQL strings.
Validate request bodies using `express-validator`, Zod, or Joi middleware. Reject requests that do not match expected schemas.
Use `cors` middleware with explicit origin allowlists. Never use `cors({ origin: '*' })` in production.
Disable the `X-Powered-By` header with `app.disable('x-powered-by')` or by using helmet.
Use `multer` or `busboy` for file uploads with strict file type and size limits. Store files outside the web root.
Implement proper error handling middleware that does not leak stack traces or internal details in production.
Scan Your Express App with SafeVibe
Stop guessing if your Express app is vulnerable to JWT Vulnerabilities. Run an automated penetration test in minutes and get actionable results.
Start Free Scan