Web Application Security · intermediate · ~12 min

Security headers, CORS, and JWT weaknesses

Audit security headers/CORS and recognise the common JWT flaws.

Overview

Missing security headers (CSP, HSTS, nosniff, frame-ancestors) are easy findings. CORS bugs come from reflecting arbitrary Origins with credentials. JWT flaws: alg:none, RS256→HS256 confusion, weak HMAC secrets, unchecked expiry, secrets in the (unencrypted) payload. Fixes: allowlist origins; pin alg, verify signature, validate claims.

Why it matters

These are some of the most common web findings: header gaps weaken defence-in-depth, credentialed-CORS reflection exposes authenticated data cross-origin, and JWT mistakes allow outright authentication bypass via forged tokens.

Core concepts

Headers. CSP (anti-XSS), HSTS, nosniff, frame-ancestors. CORS bug. Reflecting Origin + Allow-Credentials → cross-origin auth read; allowlist instead. JWT. alg:none, alg confusion, weak secret, unchecked exp, payload is base64 not encrypted. Fix. Pin alg, verify, validate claims.

Lesson

A grab-bag of high-frequency findings around headers, cross-origin policy, and tokens.

Security headers (defence-in-depth, easy wins)

  • Content-Security-Policy (CSP) — restricts script/resource origins; the strongest anti-XSS layer.
  • Strict-Transport-Security (HSTS) — forces HTTPS.
  • X-Content-Type-Options: nosniff, X-Frame-Options/frame-ancestors (anti-clickjacking), Referrer-Policy. Their absence is a routine (low-but-real) finding.

CORS misconfiguration

CORS controls which origins may read cross-origin responses. The dangerous mistake is reflecting the request Origin back in Access-Control-Allow-Origin together with Allow-Credentials: true — any site can then make authenticated cross-origin reads. * with credentials is forbidden by browsers; reflecting arbitrary origins is the real bug. Allowlist exact trusted origins.

JWT weaknesses

JSON Web Tokens are signed claims (header.payload.signature). Common flaws:

  • alg: none — token accepted with no signature → forge any claims.
  • Algorithm confusion (RS256→HS256) — verify with the public key as an HMAC secret to forge.
  • Weak HMAC secret — brute-forceable, then forge tokens.
  • No expiry / not checked, or sensitive data in the (base64, not encrypted) payload. Fix: pin the algorithm, verify the signature properly, strong secrets/keys, validate exp/aud/iss, never trust an unverified token.

Summary

Header hygiene, correct CORS (allowlist, never reflect-with-credentials), and sound JWT verification (pinned algorithm, verified signature, validated claims, no secrets in the payload) close a cluster of frequent, sometimes auth-bypassing, web flaws.