Skip to content

Security: document SIGN_COOKIES and JWT_SECRET entropy not enforced — add to .env.example #729

Description

@nadavosa

Problem

Two security-critical environment variables have no guidance in .env.example:

1. SIGN_COOKIES defaults to false

constants.ts:

signed: (process.env.SIGN_COOKIES || "false") === "true",

Cookie signing adds an HMAC over the cookie value, preventing client-side tampering. It defaults to off. In production it should be required. The .env.example doesn't mention it at all.

2. JWT_SECRET has no minimum entropy guidance

.env.example:

JWT_SECRET=fake-string

A short or guessable secret makes offline JWT brute-force practical. NIST SP 800-107 recommends at least 256 bits (32 bytes) for HMAC-SHA256.

Fix

Update .env.example:

# At least 32 random bytes (256 bits) — generate with: openssl rand -hex 32
JWT_SECRET=

# Enable HMAC signing on auth cookies in production
SIGN_COOKIES=true

Optionally add a startup check that refuses to start if JWT_SECRET is under 32 characters in production.

Context

Part of pre-NGO-onboarding security audit.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions