diff --git a/webapp/views.py b/webapp/views.py
index 6bbe0f9..b9dad47 100644
--- a/webapp/views.py
+++ b/webapp/views.py
@@ -341,7 +341,9 @@ def nginx_jwt_resp(request, *args, **kwargs):
     if not cookie:
         return HttpResponse("", status=401)
     try:
-        token = decode(cookie, settings.SECRET_KEY)
+        # This also verifies the signature.
+        # See https://pyjwt.readthedocs.io/en/latest/usage.html#reading-the-claimset-without-validation
+        token = decode(cookie, settings.SECRET_KEY, algorithms=["HS256"])
     except InvalidSignatureError:
         return HttpResponse("", status=403)
     user = "admin" if token.get("username", "") == "admin" else "moderator"