Skip to content

Insecure default JWT secret fallback in configuration #753

Description

@Otaiki1

Problem

JWT_SECRET defaults to 'dev-secret-change-in-production' when the env var is missing (env.config.ts:48). If this variable is accidentally omitted in a production deploy, the hardcoded fallback silently takes effect — every token signed with it is trivially forgeable by anyone who reads the source.

Fix

Throw at startup if JWT_SECRET is missing or falls below a minimum entropy threshold. No silent fallback.

File: backend/src/config/env.config.ts:48

Metadata

Metadata

Assignees

Labels

Stellar WaveFull ecosystem refactor initiative

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions