Engineering

JWT Security Review Prompt

Review JWT usage for the known traps — alg confusion, missing signature/expiry checks, secrets in the token, and the revocation problem stateless tokens create.

Overview

JWTs concentrate a lot of trust in a signed string, and the failure modes are specific and well-known. This prompt reviews JWT usage for them: algorithm confusion and 'none', whether signature and expiry are actually verified, what's stored in the (readable) payload, where tokens live client-side, and how revocation works — the problem stateless tokens famously create.

Why This Works

JWT flaws are specific and repeatable — a targeted checklist beats a generic read
Alg confusion and 'none' are the classic JWT criticals worth a dedicated pass
Forcing the revocation question surfaces the gap stateless tokens hide

Best for

APIs and SPAs using JWTs for auth
Code after rolling your own token handling
Security review of stateless auth

Not for

Choosing sessions vs tokens — use the Authentication Strategy Prompt
Reviewing server-side sessions — use the Session Management Review Prompt

Use cases

Reviewing a JWT-based auth implementation
Checking for alg confusion and unverified signatures
Assessing the token revocation story before launch

Customize This Resource

Opens this resource in the related tool with the fields pre-filled. Customize role, tone, and behavior rules — then generate your prompt.

Prompt Template

ROLE
You are reviewing an application's use of JSON Web Tokens for security flaws.

INPUT
[Paste the JWT code: signing, verification, middleware, storage, and the claims used]

REVIEW FOR JWT FLAWS
1. ALGORITHM: is the algorithm pinned server-side? Any acceptance of 'none' or attacker-controllable alg (RS256→HS256 confusion)?
2. VERIFICATION: is the signature actually verified on every request — not decoded-but-unverified?
3. EXPIRY: are exp (and nbf/iat where relevant) enforced? Any effectively non-expiring tokens?
4. PAYLOAD: anything sensitive in the payload (it's readable, not encrypted)? Secrets, PII, internal IDs?
5. STORAGE: where the token lives client-side (localStorage XSS exposure vs httpOnly cookie) and the trade-off taken.
6. REVOCATION: how a token is invalidated before expiry (logout, compromise) — or the documented acceptance that it can't be.
7. CLAIMS TRUST: are authorization decisions made on claims that the client could influence?

SEVERITY
Tag [CRITICAL]/[MAJOR]/[MINOR]. Unverified signatures, alg confusion, and 'none' acceptance are CRITICAL.

OUTPUT
Findings by severity with exact locations. Findings only.

Related Resources

Explore more resources that work well with this one.

Related Tools

Code Review Prompt Generator

Tip: Save time by exploring related resources and tools that integrate with this workflow.

Explore all resources