Skip to content

fix(lhf-001): remove hardcoded JWT secret fallback#3351

Open
patchninja-my wants to merge 1 commit into
SecureBananaLabs:mainfrom
patchninja-my:fix/lhf-001-jwt-secret-guard
Open

fix(lhf-001): remove hardcoded JWT secret fallback#3351
patchninja-my wants to merge 1 commit into
SecureBananaLabs:mainfrom
patchninja-my:fix/lhf-001-jwt-secret-guard

Conversation

@patchninja-my
Copy link
Copy Markdown

@patchninja-my patchninja-my commented Jun 1, 2026
edited
Loading

Fixes

🔴 LHF-001: Hardcoded JWT secret fallback enables token forgery

What changed

  • Removed "development-secret" default value for JWT_SECRET
  • Added startup validation that crashes in production if secrets are missing

Before/After

Before: jwtSecret: process.env.JWT_SECRET ?? "development-secret"
After: jwtSecret: process.env.JWT_SECRET + production guard

Bounty Claim

/bounty $100
Wallet: TRON TKaPPxtvKDfMJkset12MzEhrF9hwrtmMPi

Closes #3356

@patchninja-my
fix(lhf-001): remove hardcoded JWT secret fallback
60a796c 
- Remove 'development-secret' default value for JWT_SECRET
- Add startup validation crash in production for missing secrets
- Prevents token forgery when JWT_SECRET env var is unset
github-actions Bot added a commit that referenced this pull request Jun 1, 2026
@github-actions
chore: update leaderboard for PR #3351
2d3d788
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[LHF-001] Remove hardcoded JWT secret fallback

1 participant

@patchninja-my