The JWT alg:none Attack: Change One Header Field, Forge an Admin Token. One ESLint Rule Blocks It.
alg:none tells a JWT verifier 'this token has no signature' — and a permissive verify call accepts the forgery. The header-swap walkthrough, why jsonwebtoken still ships the foot-gun, and the CWE-347 ESLint rule that fails the build on it.
#eslint#security#jwt+1