"algorithm" in the JWT

[okdt]

It reads,

Don't extract the algorithm from the payload. Force the algorithm in the backend (HS256 or RS256).

Normally, we can find "alg" in the header part, not the payload part of JWT.
Well, what is your point of the risk case?

[okdt]

If you mean we should disable the "alg" claim of JWT for the security concern of "alg" , you may replace just "payload" to "header", or we may have to mention about the risk of "alg": "none" case.

[netcode]

@okdt , Nice catch.
As you said the correct word is header not payload.

[okdt]

I made a simple PR.

[netcode]

merged #129 . Thanks a lot.