.ns { max-width: 760px; margin: 0 auto; padding: 60px 32px; font-family: Inter, sans-serif; color: #f4f4ee; } .ns h1 { font-family: Fraunces, Georgia, serif; font-size: 44px; letter-spacing: -.025em; margin: 16px 0 18px; line-height: 1.08; } .ns h2 { font-family: Fraunces, Georgia, serif; font-size: 26px; letter-spacing: -.015em; margin: 32px 0 12px; } .ns p { font-size: 16px; line-height: 1.7; color: rgba(244,244,238,.8); margin: 0 0 18px; } .ns .meta { font-family: 'JetBrains Mono', monospace; font-size: 11px; letter-spacing: .14em; text-transform: uppercase; color: #c5ff4a; margin-bottom: 8px; } .ns nav a { color: #c5ff4a; text-decoration: none; margin-right: 12px; } .ns nav { font-family: 'JetBrains Mono', monospace; font-size: 11px; letter-spacing: .12em; text-transform: uppercase; padding: 18px 0; border-top: 1px solid rgba(255,255,255,.1); border-bottom: 1px solid rgba(255,255,255,.1); margin: 32px 0; }

API Security · 2024-09-22 · Anil Kumar

JWT Attacks in 2025: alg=none Is Gone, But These Aren't

The alg=none bug is mostly gone. Algorithm confusion, kid header injection, weak HMAC secrets and JWE confusion are very much still here.

The full article renders with JavaScript enabled. The summary above is provided for accessibility and indexing.