ASVS Requirement 9.1.2

• Level: 1
• Chapter: V9 Self-contained Tokens
• Section: V9.1 Token source and integrity
• Source: 0x18-V9-Self-contained-Tokens.md

Description

Verify that only algorithms on an allowlist can be used to create and verify self-contained tokens, for a given context. The allowlist must include the permitted algorithms, ideally only either symmetric or asymmetric algorithms, and must not include the 'None' algorithm. If both symmetric and asymmetric must be supported, additional controls will be needed to prevent key confusion.