Skip to content

security: refuse to boot in production if secret env vars are unset#549

Open
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/require-secrets-in-production
Open

security: refuse to boot in production if secret env vars are unset#549
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/require-secrets-in-production

Conversation

@xpoes123

@xpoes123 xpoes123 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

The app silently falls back to publicly-known placeholder values ('secret', 'salt', 'secretKey1', 'secretKey2') when SECRET, SALT, SECRET_KEY_1, or SECRET_KEY_2 are unset. Anyone who reads the source can forge session cookies and JWT tokens outright if the app is ever deployed without those variables set.

Problem

server/authentication.js uses process.env.SALT ? process.env.SALT : 'salt' and similar fallbacks for all four secrets. A production deployment missing any of these variables would run with trivially-known signing material while appearing healthy.

Changes

  • app.js — adds a production-only startup guard immediately after imports. If NODE_ENV === 'production' and any of SECRET, SALT, SECRET_KEY_1, or SECRET_KEY_2 is falsy, the process throws before the Express app is created. The existing ?? 'default' fallbacks in server/authentication.js are left untouched so npm run dev continues to work without a local .env.

Risk & testing

The guard only runs when NODE_ENV === 'production', so local development and CI are unaffected.

Before merging: confirm that all four variables — SECRET, SALT, SECRET_KEY_1, and SECRET_KEY_2 — are set in the production environment (e.g. Heroku config vars). If any one is absent, the dyno will refuse to start after this deploy.

@xpoes123 xpoes123 changed the title security: require secret env vars in production security: refuse to boot in production if secret env vars are unset Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant