diff --git a/src/SimpleJWT/JWT.php b/src/SimpleJWT/JWT.php
index f33d34c..af84664 100644
--- a/src/SimpleJWT/JWT.php
+++ b/src/SimpleJWT/JWT.php
@@ -134,6 +134,7 @@ public static function decode(string $token, KeySet $keys, string $expected_alg,
         }
 
         // Check signatures
+        if (!isset($headers['alg'])) throw new InvalidTokenException('alg parameter missing', InvalidTokenException::TOKEN_PARSE_ERROR);
         if ($headers['alg'] != $expected_alg) throw new InvalidTokenException('Unexpected algorithm', InvalidTokenException::SIGNATURE_VERIFICATION_ERROR);
         /** @var SignatureAlgorithm $signer */
         $signer = AlgorithmFactory::create($expected_alg);
diff --git a/tests/JWTTest.php b/tests/JWTTest.php
index 4e4ebb6..2535283 100644
--- a/tests/JWTTest.php
+++ b/tests/JWTTest.php
@@ -335,6 +335,16 @@ function testCrit() {
         $this->assertTrue($jwt->getClaim('iss'));
     }
 
+    function testMissingAlg() {
+        $this->expectException('SimpleJWT\InvalidTokenException');
+        $this->expectExceptionCode(InvalidTokenException::TOKEN_PARSE_ERROR);
+
+        $set = $this->getPublicKeySet();
+        $token = 'eyJ0eXAiOiAiSldUIn0.eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODB9.lLajjIbnhRpthOPhbJTaxoQ8JHYSAwSUl1Vxc4eQcIU';
+        $jwt = JWT::decode($token, $set, 'HS256');
+        $this->assertTrue($jwt->getClaim('iss'));
+    }
+
     function testInvalidToken() {
         $this->expectException('SimpleJWT\InvalidTokenException');