If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user identities.
* Don't use ``none`` algorithm to sign or verify the validity of a token.
* Don't use a token without verifying its signature before.
