For our decoder, we we know, a priori, the type of header we should have since we decode for some algorithm A, we avoid the vulnerability of parsing the algorithm, then verifying against it.
For our decoder, we we know, a priori, the type of header we should have since we decode for some algorithm A, we avoid the vulnerability of parsing the algorithm, then verifying against it. That is, the server should know the algorithm before trying to deserialize it.