Problem
Two security-critical environment variables have no guidance in .env.example:
1. SIGN_COOKIES defaults to false
constants.ts:
signed: (process.env.SIGN_COOKIES || "false") === "true",
Cookie signing adds an HMAC over the cookie value, preventing client-side tampering. It defaults to off. In production it should be required. The .env.example doesn't mention it at all.
2. JWT_SECRET has no minimum entropy guidance
.env.example:
A short or guessable secret makes offline JWT brute-force practical. NIST SP 800-107 recommends at least 256 bits (32 bytes) for HMAC-SHA256.
Fix
Update .env.example:
# At least 32 random bytes (256 bits) — generate with: openssl rand -hex 32
JWT_SECRET=
# Enable HMAC signing on auth cookies in production
SIGN_COOKIES=true
Optionally add a startup check that refuses to start if JWT_SECRET is under 32 characters in production.
Context
Part of pre-NGO-onboarding security audit.
Problem
Two security-critical environment variables have no guidance in
.env.example:1. SIGN_COOKIES defaults to false
constants.ts:Cookie signing adds an HMAC over the cookie value, preventing client-side tampering. It defaults to off. In production it should be required. The
.env.exampledoesn't mention it at all.2. JWT_SECRET has no minimum entropy guidance
.env.example:A short or guessable secret makes offline JWT brute-force practical. NIST SP 800-107 recommends at least 256 bits (32 bytes) for HMAC-SHA256.
Fix
Update
.env.example:Optionally add a startup check that refuses to start if
JWT_SECRETis under 32 characters in production.Context
Part of pre-NGO-onboarding security audit.