Problem
JWT_SECRET defaults to 'dev-secret-change-in-production' when the env var is missing (env.config.ts:48). If this variable is accidentally omitted in a production deploy, the hardcoded fallback silently takes effect — every token signed with it is trivially forgeable by anyone who reads the source.
Fix
Throw at startup if JWT_SECRET is missing or falls below a minimum entropy threshold. No silent fallback.
File: backend/src/config/env.config.ts:48
Problem
JWT_SECRETdefaults to'dev-secret-change-in-production'when the env var is missing (env.config.ts:48). If this variable is accidentally omitted in a production deploy, the hardcoded fallback silently takes effect — every token signed with it is trivially forgeable by anyone who reads the source.Fix
Throw at startup if
JWT_SECRETis missing or falls below a minimum entropy threshold. No silent fallback.File:
backend/src/config/env.config.ts:48