From 852cb58c10870a9f8e2020135729010cacd2f932 Mon Sep 17 00:00:00 2001 From: xpoes123 Date: Tue, 30 Jun 2026 00:00:03 -0400 Subject: [PATCH] security: refuse to boot in production with default secrets --- app.js | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/app.js b/app.js index 1b4ababa6..bc8e702c4 100644 --- a/app.js +++ b/app.js @@ -11,6 +11,14 @@ import cookieSession from 'cookie-session'; import express from 'express'; import morgan from 'morgan'; +if (process.env.NODE_ENV === 'production') { + for (const key of ['SECRET', 'SALT', 'SECRET_KEY_1', 'SECRET_KEY_2']) { + if (!process.env[key]) { + throw new Error(`Missing required environment variable in production: ${key}`); + } + } +} + const app = express(); if (process.env.NODE_ENV !== 'production') { app.use(morgan('dev'));