KT-APP Insecure coding

JWTs are accepted with alg=none in a mobile API. Severity?

Multiple choice — select one answer

Answer choices

  1. a. Fixed by longer passwords only, without security or identity team coordination per policy.
  2. b. Not relevant to APIs, without security or identity team coordination per policy.
  3. c. Critical authentication bypass—enforce algorithm allowlist server-side
  4. d. Low because mobile is encrypted, without security or identity team coordination per policy.

Architectural breakdown & explanation

JWT alg none is a known auth bypass pattern.

Correct answer(s): c. Critical authentication bypass—enforce algorithm allowlist server-side

Exam domain: Insecure coding (25% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the KeyTrain's Key Training — Application Security bank. Run a full timed practice exam with domain-weighted random questions in your browser.