Cyberway

2026-07-05

Common JWT Security Mistakes

Avoid alg none, weak HMAC secrets, long-lived tokens, and confusing decode with verify.

Most JWT incidents come from predictable mistakes. Here are the ones that show up again and again.

Accepting alg none

If a verifier trusts the header's alg blindly, an attacker can set alg to none and forge payloads. Pin allowed algorithms on the server.

Weak HMAC secrets

Secrets like secret, password, or short strings are brute-forceable. Cyberway warns about weak secrets when you verify or generate HMAC tokens — treat that as a teaching signal, not a full audit.

Treating decode as authenticate

Anyone can decode a JWT. Authentication requires signature verification (and usually audience/issuer checks).

Eternal tokens

Tokens without exp, or with multi-year lifetimes, are hard to revoke. Prefer short access tokens plus a refresh strategy.

Next steps

Practice safely with the JWT Decoder and JWT Generator, then read the Complete JWT Guide.

Try the Cyberway JWT Decoder or JWT Generator — both run entirely in your browser.