ASVS Requirement 9.1.3

• Level: 1
• Chapter: V9 Self-contained Tokens
• Section: V9.1 Token source and integrity
• Source: 0x18-V9-Self-contained-Tokens.md

Description

Verify that key material that is used to validate self-contained tokens is from trusted pre-configured sources for the token issuer, preventing attackers from specifying untrusted sources and keys. For JWTs and other JWS structures, headers such as 'jku', 'x5u', and 'jwk' must be validated against an allowlist of trusted sources.