Auth0 has a great write-up on common JWT attacks that is worth a look for anyone using JWT's for authorization. I've provided a summary here as a TL;DR.

JWT Headers

  • Do not process a JWT body before checking the header.
  • Ensure the header contains the correct alg and not alg: none.
  • If you are using HS256, consider switching to RS256 to avoid brute force attacks.


  • If you are using Elliptic-curve cryptography, ensure your implementation verifies that public-keys are a valid elliptic-curve point for the chosen curve and that private keys sit inside the valid range of values.


  • Check all provided claims: exp, iat, aud, sub, nbf before trusting the key.

There were just the most interesting take-aways. I highly suggest folks read the entire article.