diff --git a/.env b/.env
deleted file mode 100644
index 3a7d21d..0000000
--- a/.env
+++ /dev/null
@@ -1,3 +0,0 @@
-JWT_SECRET=123
-CLUSTER_SECRET=please_change
-ADMIN_PASSWORD=admin123
\ No newline at end of file
diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..18b994d
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,20 @@
+# Copy this file to .env and replace every value below with a strong, random
+# secret before starting DynaRust. The server refuses to boot if any of these
+# is unset, equal to a known placeholder, or shorter than 16 characters.
+#
+# Generate strong secrets, e.g.:
+#   openssl rand -hex 32
+
+# Signing key for user / admin JWTs.
+JWT_SECRET=replace-me-with-at-least-16-random-bytes
+
+# Shared secret used to authenticate node-to-node cluster traffic (joins,
+# replication, gossip, internal reads/writes). Anyone with this value can
+# read or modify every record in the cluster.
+CLUSTER_SECRET=replace-me-with-at-least-16-random-bytes
+
+# Password gating the /admin dashboard.
+ADMIN_PASSWORD=replace-me-with-at-least-16-random-bytes
+
+# Optional: set to "https" to terminate TLS with the certs under ./cert.
+# DYNA_MODE=https
diff --git a/.gitignore b/.gitignore
index 47ac7b3..8a59e99 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,4 +3,6 @@ snapshots/*
 data/*
 cert/*
 DynaRust
-encryption.key
\ No newline at end of file
+encryption.key
+.env
+.env.local
\ No newline at end of file
diff --git a/src/main.rs b/src/main.rs
index a9043b7..ce1da95 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -57,10 +57,43 @@ fn merge_global_store(
     }
 }
 
+/// Refuse to boot when a critical secret is missing or set to a value from a
+/// known weak / placeholder list. This prevents misconfiguration from turning
+/// the cluster auth bypasses (e.g. `X-Internal-Request: default_secret`) into
+/// open doors.
+fn require_secret(name: &str, forbidden: &[&str]) {
+    let value = match env::var(name) {
+        Ok(v) => v,
+        Err(_) => {
+            eprintln!(
+                "fatal: {} environment variable is not set. Refusing to start.",
+                name
+            );
+            process::exit(1);
+        }
+    };
+    if forbidden.iter().any(|f| value == *f) {
+        eprintln!(
+            "fatal: {} is set to a known-insecure default value. Refusing to start.",
+            name
+        );
+        process::exit(1);
+    }
+    if value.len() < 16 {
+        eprintln!(
+            "fatal: {} is too short (minimum 16 characters). Refusing to start.",
+            name
+        );
+        process::exit(1);
+    }
+}
+
 
 #[actix_web::main]
 async fn main() -> std::io::Result<()> {
-    dotenvy::dotenv().unwrap();
+    // dotenv is optional; in production credentials should come from the
+    // environment / a secret manager rather than a committed .env file.
+    let _ = dotenvy::dotenv();
     let args: Vec<String> = env::args().collect();
     if args.len() < 2 {
         eprintln!("Usage: {} <current_node_address> [join_node_address]", args[0]);
@@ -69,13 +102,12 @@ async fn main() -> std::io::Result<()> {
     let current_node = args[1].clone();
     // Use the current node address for binding.
     let bind_addr = current_node.clone();
-    match env::var("JWT_SECRET") {
-        Ok(secret) => secret,
-        Err(_) => {
-            eprintln!("JWT_SECRET environment variable not set");
-            std::process::exit(1);
-        }
-    };
+
+    // Refuse to boot with missing or known-insecure secrets. Falling back to
+    // hard-coded defaults silently turns the cluster into an open door.
+    require_secret("JWT_SECRET", &["", "default_jwt_secret", "123", "changeme", "secret"]);
+    require_secret("CLUSTER_SECRET", &["", "default_secret", "please_change", "changeme"]);
+    require_secret("ADMIN_PASSWORD", &["", "admin", "admin123", "password", "changeme"]);
 
     // Initialize the local in‑memory multi‑table key–value store.
     let state = web::Data::new(AppState {
diff --git a/src/network/broadcaster.rs b/src/network/broadcaster.rs
index 1eb1350..c154e88 100644
--- a/src/network/broadcaster.rs
+++ b/src/network/broadcaster.rs
@@ -35,7 +35,7 @@ fn get_scheme() -> &'static str {
 }
 
 /// Strip any existing scheme/trailing slash from `node` and build a full URL.
-fn build_url(node: &str, endpoint: &str) -> String {
+pub fn build_url(node: &str, endpoint: &str) -> String {
     let scheme = get_scheme();
     let host = node
         .trim_start_matches("http://")
diff --git a/src/security/authentication.rs b/src/security/authentication.rs
index 6186805..b7dd173 100644
--- a/src/security/authentication.rs
+++ b/src/security/authentication.rs
@@ -5,10 +5,10 @@ use sha2::{Digest, Sha256};
 use hex;
 use chrono::{Utc, Duration};
 use std::collections::HashMap;
-use std::env;
 use jsonwebtoken::{encode, Header, EncodingKey};
 
-use crate::storage::engine::{get_active_nodes, get_jwt_secret, get_replication_nodes, AppState, ClusterData, VersionedValue};
+use crate::network::broadcaster::build_url;
+use crate::storage::engine::{get_active_nodes, get_cluster_secret, get_jwt_secret, get_replication_nodes, is_safe_name, AppState, ClusterData, VersionedValue};
 use crate::storage::subscription::{KeyEvent, SubscriptionManager};
 
 /// Incoming JSON payload.
@@ -34,11 +34,14 @@ pub async fn access(
     sub_manager: web::Data<SubscriptionManager>,
 ) -> impl Responder {
     let username = user.into_inner();
+    if !is_safe_name(&username) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid username"}));
+    }
 
     println!("Access request for user: {}", username);
 
 
-    let cluster_secret = env::var("CLUSTER_SECRET").unwrap_or_else(|_| "default_secret".to_string());
+    let cluster_secret = get_cluster_secret();
 
     // Internal replication requests - verify secret matching
     if let Some(internal_req) = req.headers().get("X-Internal-Request") {
@@ -57,11 +60,9 @@ pub async fn access(
             let mut value_map = HashMap::new();
             value_map.insert("secret".to_string(), json!(provided_secret));
 
-            let user_header = req.headers().get("User")
-                .and_then(|h| h.to_str().ok())
-                .unwrap_or(&username);
-
-            let new_rec = VersionedValue::new(value_map, String::from(user_header), current_addr.get_ref().clone());
+            // Trust the path-derived username as the owner; the User header is
+            // attacker-controlled and was previously used to forge ownership.
+            let new_rec = VersionedValue::new(value_map, username.clone(), current_addr.get_ref().clone());
             auth_table.insert(username.clone(), new_rec.clone());
 
             println!("Successfully replicated user: {}", username);
@@ -81,53 +82,72 @@ pub async fn access(
         Ok(t) => t.secret,
         Err(_) => return HttpResponse::BadRequest().finish(),
     };
-    let is_new_user;
-    let new_value = {
+    // Hash the provided secret once, salted with the username, so identical
+    // passwords hash to different values across users (rainbow-table defense).
+    let mut hasher = Sha256::new();
+    hasher.update(username.as_bytes());
+    hasher.update(b":");
+    hasher.update(provided_secret.as_bytes());
+    let provided_hash = hex::encode(hasher.finalize());
+
+    enum AuthOutcome {
+        New(VersionedValue),
+        Existing(VersionedValue),
+        Mismatch,
+        Corrupt,
+    }
+
+    let outcome = {
         let auth_table = state.store.entry("auth".to_string()).or_default();
+        let mut value_map = HashMap::new();
+        value_map.insert("secret".to_string(), json!(provided_hash));
+        let candidate = VersionedValue::new(
+            value_map,
+            username.clone(),
+            current_addr.get_ref().clone(),
+        );
+
+        // Atomically register-or-lookup so two concurrent registrations of the
+        // same username cannot race past each other.
+        let mut outcome = AuthOutcome::Corrupt;
+        auth_table
+            .entry(username.clone())
+            .and_modify(|existing| {
+                match existing.value.get("secret").and_then(|v| v.as_str()) {
+                    Some(stored_hash) if stored_hash == provided_hash => {
+                        outcome = AuthOutcome::Existing(existing.clone());
+                    }
+                    Some(_) => {
+                        outcome = AuthOutcome::Mismatch;
+                    }
+                    None => {
+                        outcome = AuthOutcome::Corrupt;
+                    }
+                }
+            })
+            .or_insert_with(|| {
+                outcome = AuthOutcome::New(candidate.clone());
+                candidate
+            });
+        outcome
+    };
 
-        let record = auth_table.get(&username);
-        if record.is_none() {
+    let (is_new_user, new_value) = match outcome {
+        AuthOutcome::New(v) => {
             println!("New user registration: {}", username);
-            // User registration
-            let mut hasher = Sha256::new();
-            hasher.update(&provided_secret);
-            let hashed = hex::encode(hasher.finalize());
-
-            let mut value_map = HashMap::new();
-            value_map.insert("secret".to_string(), json!(hashed));
-
-            let new_rec = VersionedValue::new(value_map, username.clone(), current_addr.get_ref().clone());
-            auth_table.insert(username.clone(), new_rec.clone());
-            is_new_user = true;
-            new_rec
-        } else {
+            (true, v)
+        }
+        AuthOutcome::Existing(v) => {
             println!("Login attempt for existing user: {}", username);
-            // Login attempt
-            let user_record = record.unwrap();
-
-            let stored_hash = match user_record
-                .value
-                .get("secret")
-                .and_then(|v| v.as_str())
-            {
-                Some(h) => h,
-                None => {
-                    return HttpResponse::InternalServerError()
-                        .json(json!({"error":"Corrupt user record"}));
-                }
-            };
-
-            let mut hasher = Sha256::new();
-            hasher.update(&provided_secret);
-            let provided_hash = hex::encode(hasher.finalize());
-
-            if stored_hash != provided_hash {
-                return HttpResponse::Unauthorized()
-                    .json(json!({"error":"Invalid credentials"}));
-            }
-
-            is_new_user = false;
-            user_record.clone()
+            (false, v)
+        }
+        AuthOutcome::Mismatch => {
+            return HttpResponse::Unauthorized()
+                .json(json!({"error":"Invalid credentials"}));
+        }
+        AuthOutcome::Corrupt => {
+            return HttpResponse::InternalServerError()
+                .json(json!({"error":"Corrupt user record"}));
         }
     };
 
@@ -157,24 +177,20 @@ pub async fn access(
 
         for target in targets {
             if target != *current_addr.get_ref() {
-                // Make sure URL format matches your API route configuration
-                let url = format!("http://{}/auth/{}", target, username);
+                let url = build_url(&target, &format!("auth/{}", username));
                 println!("Preparing replication to: {}", url);
 
                 let client_clone = client.clone();
-                let username_clone = username.clone();
                 let secret_clone = hashed_secret.to_string();
 
                 let fut = async move {
                     println!("Sending replication request to: {}", url);
-                    // Create the payload with the same structure as AccessToken
                     let payload = AccessToken { secret: secret_clone };
-                    let cluster_secret = env::var("CLUSTER_SECRET").unwrap_or_else(|_| "default_secret".to_string());
+                    let cluster_secret = get_cluster_secret();
 
                     let result = client_clone
                         .post(&url)
                         .header("X-Internal-Request", cluster_secret)
-                        .header("User", &username_clone)
                         .header("Content-Type", "application/octet-stream")
                         .body(bincode::serialize(&payload).unwrap())
                         .send()
diff --git a/src/storage/admin.html b/src/storage/admin.html
index b154d68..6611dd4 100644
--- a/src/storage/admin.html
+++ b/src/storage/admin.html
@@ -500,21 +500,38 @@ <h3 style="margin-top: 0;">Cluster Statistics</h3>
                 jsonEditor.value = JSON.stringify(record.value, null, 4);
                 currentKeyNameDisp.textContent = key;
                 versionBadge.textContent = `Last Updated: ${new Date(record.timestamp).toLocaleString()}`;
-                metadataView.innerHTML = `
-                    <div>Owner: ${record.owner}</div>
-
-                    <div class="vector-clock-wrapper">
-                    <span class="vc-label">Vector Clock:</span>
-                    <div class="vc-badges">
-                        ${Object.entries(record.vector_clock).map(([nodeId, tick]) => `
-                        <span class="vc-badge">
-                            <span class="vc-node">${nodeId}</span>
-                            <span class="vc-tick">${tick}</span>
-                        </span>
-                        `).join('')}
-                    </div>
-                    </div>
-                `;
+                // Build the metadata view via DOM APIs so that user-controlled
+                // strings (owner, vector_clock keys) cannot be interpreted as
+                // HTML. Previously this used innerHTML, which let any value
+                // containing `<script>` etc. execute in the admin's browser.
+                metadataView.replaceChildren();
+                const ownerDiv = document.createElement('div');
+                ownerDiv.textContent = `Owner: ${record.owner}`;
+                metadataView.appendChild(ownerDiv);
+
+                const vcWrap = document.createElement('div');
+                vcWrap.className = 'vector-clock-wrapper';
+                const vcLabel = document.createElement('span');
+                vcLabel.className = 'vc-label';
+                vcLabel.textContent = 'Vector Clock:';
+                vcWrap.appendChild(vcLabel);
+                const vcBadges = document.createElement('div');
+                vcBadges.className = 'vc-badges';
+                Object.entries(record.vector_clock || {}).forEach(([nodeId, tick]) => {
+                    const badge = document.createElement('span');
+                    badge.className = 'vc-badge';
+                    const nodeSpan = document.createElement('span');
+                    nodeSpan.className = 'vc-node';
+                    nodeSpan.textContent = nodeId;
+                    const tickSpan = document.createElement('span');
+                    tickSpan.className = 'vc-tick';
+                    tickSpan.textContent = String(tick);
+                    badge.appendChild(nodeSpan);
+                    badge.appendChild(tickSpan);
+                    vcBadges.appendChild(badge);
+                });
+                vcWrap.appendChild(vcBadges);
+                metadataView.appendChild(vcWrap);
                 noRecordSelected.classList.add('hidden');
                 editorContainer.classList.remove('hidden');
             } catch (e) { console.error(e); }
diff --git a/src/storage/admin.rs b/src/storage/admin.rs
index 097f371..b82f2cd 100644
--- a/src/storage/admin.rs
+++ b/src/storage/admin.rs
@@ -5,7 +5,11 @@ use std::collections::HashMap;
 use std::env;
 use std::sync::Arc;
 use tokio::sync::Semaphore;
-use crate::storage::engine::{AppState, ClusterData, VersionedValue, get_active_nodes, get_replication_nodes};
+use crate::network::broadcaster::build_url;
+use crate::storage::engine::{
+    get_active_nodes, get_cluster_secret, get_jwt_secret, get_replication_nodes, is_safe_name,
+    AppState, ClusterData, VersionedValue,
+};
 use crate::storage::subscription::{KeyEvent, SubscriptionManager};
 use jsonwebtoken::{encode, Header, EncodingKey, decode, DecodingKey, Validation};
 use chrono::{Utc, Duration};
@@ -22,8 +26,15 @@ struct AdminClaims {
     admin: bool,
 }
 
-pub fn get_jwt_secret() -> String {
-    env::var("JWT_SECRET").unwrap_or_else(|_| "default_jwt_secret".to_string())
+fn constant_time_eq(a: &[u8], b: &[u8]) -> bool {
+    if a.len() != b.len() {
+        return false;
+    }
+    let mut diff: u8 = 0;
+    for (x, y) in a.iter().zip(b.iter()) {
+        diff |= x ^ y;
+    }
+    diff == 0
 }
 
 pub async fn admin_dashboard() -> impl Responder {
@@ -32,9 +43,20 @@ pub async fn admin_dashboard() -> impl Responder {
 }
 
 pub async fn admin_login(req: Json<AdminLoginRequest>) -> impl Responder {
-    let master_password = env::var("ADMIN_PASSWORD").unwrap_or_else(|_| "admin123".to_string());
-    
-    if req.password == master_password {
+    // Refuse to authenticate if no admin password is configured rather than
+    // silently falling back to a hard-coded default.
+    let master_password = match env::var("ADMIN_PASSWORD") {
+        Ok(p) if !p.is_empty() => p,
+        _ => {
+            eprintln!("admin_login: ADMIN_PASSWORD is not configured");
+            return HttpResponse::ServiceUnavailable()
+                .json(json!({"error": "Admin login is not configured"}));
+        }
+    };
+
+    // Constant-time comparison to avoid leaking the password byte-by-byte
+    // through response-time differences.
+    if constant_time_eq(req.password.as_bytes(), master_password.as_bytes()) {
         let exp = (Utc::now() + Duration::hours(24)).timestamp() as usize;
         let claims = AdminClaims { 
             sub: "admin".to_string(), 
@@ -89,13 +111,16 @@ pub async fn admin_get_tables(req: HttpRequest, state: web::Data<AppState>) -> i
 }
 
 pub async fn admin_get_keys(
-    req: HttpRequest, 
-    path: web::Path<String>, 
+    req: HttpRequest,
+    path: web::Path<String>,
     state: web::Data<AppState>
 ) -> impl Responder {
     if !validate_admin_token(&req) { return HttpResponse::Unauthorized().finish(); }
-    
+
     let table_name = path.into_inner();
+    if !is_safe_name(&table_name) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid table name"}));
+    }
     if let Some(table) = state.store.get(&table_name) {
         let keys: Vec<String> = table.iter().map(|kv| kv.key().clone()).collect();
         HttpResponse::Ok().json(keys)
@@ -110,8 +135,11 @@ pub async fn admin_get_record(
     state: web::Data<AppState>
 ) -> impl Responder {
     if !validate_admin_token(&req) { return HttpResponse::Unauthorized().finish(); }
-    
+
     let (table_name, key) = path.into_inner();
+    if !is_safe_name(&table_name) || !is_safe_name(&key) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid table or key name"}));
+    }
     if let Some(table) = state.store.get(&table_name) {
         if let Some(record) = table.get(&key) {
             return HttpResponse::Ok().json(record.clone());
@@ -132,9 +160,12 @@ pub async fn admin_put_record(
     body: web::Json<HashMap<String, Value>>,
 ) -> impl Responder {
     if !validate_admin_token(&req) { return HttpResponse::Unauthorized().finish(); }
-    
+
     let (table_name, key_val) = path.into_inner();
-    
+    if !is_safe_name(&table_name) || !is_safe_name(&key_val) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid table or key name"}));
+    }
+
     // Admin PUT bypasses ownership check but updates version
     let new_value = {
         let table = state.store.entry(table_name.clone()).or_default();
@@ -171,9 +202,12 @@ pub async fn admin_delete_record(
     sem: web::Data<Arc<Semaphore>>,
 ) -> impl Responder {
     if !validate_admin_token(&req) { return HttpResponse::Unauthorized().finish(); }
-    
+
     let (table_name, key_val) = path.into_inner();
-    
+    if !is_safe_name(&table_name) || !is_safe_name(&key_val) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid table or key name"}));
+    }
+
     if let Some(table) = state.store.get(&table_name) {
         table.remove(&key_val);
     }
@@ -192,10 +226,10 @@ pub async fn admin_delete_record(
 
     for target in targets {
         if target != *current_addr.get_ref() {
-            let url = format!("http://{}/{}/key/{}", target, table_name, key_val);
+            let url = build_url(&target, &format!("{}/key/{}", table_name, key_val));
             let client_clone = client.clone();
             let permit = <Arc<Semaphore> as Clone>::clone(&sem).acquire_owned().await.unwrap();
-            let cluster_secret = env::var("CLUSTER_SECRET").unwrap_or_else(|_| "default_secret".to_string());
+            let cluster_secret = get_cluster_secret();
 
             tokio::spawn(async move {
                 let _permit = permit;
@@ -226,7 +260,7 @@ async fn replicate_admin_change(
     drop(cluster);
 
     let targets = get_replication_nodes(key_val, &active, active.len());
-    let secret = env::var("CLUSTER_SECRET").unwrap_or_default();
+    let secret = get_cluster_secret();
 
     for target in targets {
         if target == *current_addr {
@@ -235,10 +269,7 @@ async fn replicate_admin_change(
         let permit = <Arc<Semaphore> as Clone>::clone(sem).acquire_owned().await.unwrap();
         let cli = client.clone();
         let payload = new_value.clone();
-        let url = format!(
-            "http://{}/internal/{}/key/{}",
-            target, table_name, key_val
-        );
+        let url = build_url(&target, &format!("internal/{}/key/{}", table_name, key_val));
         let secret_clone = secret.clone();
 
         tokio::spawn(async move {
diff --git a/src/storage/engine.rs b/src/storage/engine.rs
index d93782b..9581a9e 100644
--- a/src/storage/engine.rs
+++ b/src/storage/engine.rs
@@ -1,5 +1,5 @@
 use crate::Arc;
-use crate::network::broadcaster::gossip_membership;
+use crate::network::broadcaster::{build_url, gossip_membership};
 use crate::storage::subscription::{KeyEvent, SubscriptionManager};
 use actix_web::{HttpRequest, HttpResponse, Responder, web};
 use futures::future::BoxFuture;
@@ -137,6 +137,26 @@ pub fn get_jwt_secret() -> String {
     })
 }
 
+/// Return the configured cluster secret. The process is expected to refuse to
+/// start without a non-default `CLUSTER_SECRET` (see `main.rs`), so anything
+/// reached at runtime is trusted to be a deliberate value.
+pub fn get_cluster_secret() -> String {
+    env::var("CLUSTER_SECRET").unwrap_or_else(|_| {
+        eprintln!("error: CLUSTER_SECRET environment variable not set");
+        process::exit(1);
+    })
+}
+
+/// Reject table/key names that could escape the data directory or otherwise
+/// be used to forge file paths during persistence. Names must be non-empty,
+/// must not equal `.`/`..`, and must not contain path separators or NUL.
+pub fn is_safe_name(name: &str) -> bool {
+    if name.is_empty() || name == "." || name == ".." || name.len() > 255 {
+        return false;
+    }
+    !name.chars().any(|c| matches!(c, '/' | '\\' | '\0'))
+}
+
 /// Get current timestamp in milliseconds.
 pub fn current_timestamp() -> u128 {
     SystemTime::now()
@@ -246,8 +266,10 @@ pub async fn get_value(
     sem: web::Data<Arc<Semaphore>>,
 ) -> impl Responder {
     let (table_name, key_val) = path.into_inner();
-    let cluster_secret =
-        env::var("CLUSTER_SECRET").unwrap_or_else(|_| "default_secret".to_string());
+    if !is_safe_name(&table_name) || !is_safe_name(&key_val) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid table or key name"}));
+    }
+    let cluster_secret = get_cluster_secret();
 
     // 1️⃣ Internal Replication Request - Verify Secret
     if let Some(internal_req) = req.headers().get("X-Internal-Request") {
@@ -294,7 +316,7 @@ pub async fn get_value(
                 });
             futures_vec.push(fut);
         } else {
-            let url = format!("http://{}/{}/key/{}", target, table_name, key_val);
+            let url = build_url(&target, &format!("{}/key/{}", table_name, key_val));
             let client_inner = client.get_ref().clone();
             let secret_clone = cluster_secret.clone();
 
@@ -389,9 +411,9 @@ pub async fn get_value(
 
             tokio::spawn(async move {
                 let _permit = permit;
-                let url = format!(
-                    "http://{}/internal/{}/key/{}",
-                    target, table_repair, key_repair
+                let url = build_url(
+                    &target,
+                    &format!("internal/{}/key/{}", table_repair, key_repair),
                 );
                 let _ = cli
                     .put(&url)
@@ -428,6 +450,9 @@ pub async fn patch_value(
     body: web::Json<HashMap<String, Value>>,
 ) -> impl Responder {
     let (table_name, key_val) = path.into_inner();
+    if !is_safe_name(&table_name) || !is_safe_name(&key_val) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid table or key name"}));
+    }
 
     // 1️⃣ Authenticate external user via JWT
     let user = match extract_user_from_token(&req) {
@@ -465,8 +490,7 @@ pub async fn patch_value(
     drop(cluster);
 
     let targets = get_replication_nodes(&key_val, &active, active.len());
-    let cluster_secret =
-        env::var("CLUSTER_SECRET").unwrap_or_else(|_| "default_secret".to_string());
+    let cluster_secret = get_cluster_secret();
 
     for target in targets {
         if target == *current_addr.get_ref() {
@@ -479,7 +503,7 @@ pub async fn patch_value(
             .unwrap();
         let cli = client.clone();
         let payload = new_value.clone();
-        let url = format!("http://{}/internal/{}/key/{}", target, table_name, key_val);
+        let url = build_url(&target, &format!("internal/{}/key/{}", table_name, key_val));
 
         let secret_clone = cluster_secret.clone();
 
@@ -526,6 +550,9 @@ pub async fn put_value(
     body: web::Json<HashMap<String, Value>>,
 ) -> impl Responder {
     let (table_name, key_val) = path.into_inner();
+    if !is_safe_name(&table_name) || !is_safe_name(&key_val) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid table or key name"}));
+    }
 
     // 1️⃣ Authenticate external user via JWT
     let user = match extract_user_from_token(&req) {
@@ -564,8 +591,7 @@ pub async fn put_value(
     drop(cluster);
 
     let targets = get_replication_nodes(&key_val, &active, active.len());
-    let cluster_secret =
-        env::var("CLUSTER_SECRET").unwrap_or_else(|_| "default_secret".to_string());
+    let cluster_secret = get_cluster_secret();
 
     for target in targets {
         // acquire a permit (will await if > 20 in flight)
@@ -575,7 +601,7 @@ pub async fn put_value(
             .unwrap();
         let cli = client.clone();
         let payload = new_value.clone();
-        let url = format!("http://{}/internal/{}/key/{}", target, table_name, key_val);
+        let url = build_url(&target, &format!("internal/{}/key/{}", table_name, key_val));
 
         let secret_clone = cluster_secret.clone();
 
@@ -629,10 +655,12 @@ pub async fn put_value_internal(
     body: web::Json<VersionedValue>,
 ) -> impl Responder {
     let (table_name, key_val) = path.into_inner();
+    if !is_safe_name(&table_name) || !is_safe_name(&key_val) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid table or key name"}));
+    }
 
     // 1️⃣ Cluster‐secret check
-    let cluster_secret =
-        env::var("CLUSTER_SECRET").unwrap_or_else(|_| "default_secret".to_string());
+    let cluster_secret = get_cluster_secret();
     let provided_secret = req
         .headers()
         .get("X-Internal-Request")
@@ -679,8 +707,10 @@ pub async fn delete_value(
     sem: web::Data<Arc<Semaphore>>,
 ) -> impl Responder {
     let (table_name, key_val) = path.into_inner();
-    let cluster_secret =
-        env::var("CLUSTER_SECRET").unwrap_or_else(|_| "default_secret".to_string());
+    if !is_safe_name(&table_name) || !is_safe_name(&key_val) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid table or key name"}));
+    }
+    let cluster_secret = get_cluster_secret();
 
     // FIX: Internal requests bypass auth ONLY if the secret matches.
     if let Some(internal_req) = req.headers().get("X-Internal-Request") {
@@ -738,7 +768,7 @@ pub async fn delete_value(
 
     for target in targets {
         if target != *current_addr.get_ref() {
-            let url = format!("http://{}/{}/key/{}", target, table_name, key_val);
+            let url = build_url(&target, &format!("{}/key/{}", table_name, key_val));
             let client_clone = client.clone();
             let secret_clone = cluster_secret.clone();
 
@@ -784,21 +814,51 @@ pub async fn delete_value(
 //
 
 pub async fn get_table_store(
+    req: HttpRequest,
     table: web::Path<String>,
     state: web::Data<AppState>,
 ) -> impl Responder {
     let table_name = table.into_inner();
+    if !is_safe_name(&table_name) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid table name"}));
+    }
+    let user = match extract_user_from_token(&req) {
+        Ok(u) => u,
+        Err(resp) => return resp,
+    };
     if let Some(table_db) = state.store.get(&table_name) {
-        HttpResponse::Ok().json(&*table_db)
+        // Only expose records the caller owns to avoid leaking other users'
+        // data (including hashed credentials in the "auth" table).
+        let filtered: HashMap<String, VersionedValue> = table_db
+            .iter()
+            .filter(|kv| kv.value().owner == user)
+            .map(|kv| (kv.key().clone(), kv.value().clone()))
+            .collect();
+        HttpResponse::Ok().json(filtered)
     } else {
         HttpResponse::NotFound().json(json!({"error": "Table not found"}))
     }
 }
 
-pub async fn get_all_keys(table: web::Path<String>, state: web::Data<AppState>) -> impl Responder {
+pub async fn get_all_keys(
+    req: HttpRequest,
+    table: web::Path<String>,
+    state: web::Data<AppState>,
+) -> impl Responder {
     let table_name = table.into_inner();
+    if !is_safe_name(&table_name) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid table name"}));
+    }
+    let user = match extract_user_from_token(&req) {
+        Ok(u) => u,
+        Err(resp) => return resp,
+    };
     if let Some(table_db) = state.store.get(&table_name) {
-        let keys: Vec<String> = table_db.iter().map(|kv| kv.key().clone()).collect();
+        let keys: Vec<String> = table_db
+            .iter()
+            .filter(|kv| kv.value().owner == user)
+            .map(|kv| kv.key().clone())
+            .collect();
         HttpResponse::Ok().json(keys)
     } else {
         HttpResponse::NotFound().json(json!({"error": "Table not found"}))
@@ -806,18 +866,28 @@ pub async fn get_all_keys(table: web::Path<String>, state: web::Data<AppState>)
 }
 
 pub async fn get_multiple_keys(
+    req: HttpRequest,
     table: web::Path<String>,
     keys_request: Json<KeysRequest>,
     state: web::Data<AppState>,
 ) -> impl Responder {
     let table_name = table.into_inner();
+    if !is_safe_name(&table_name) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid table name"}));
+    }
+    let user = match extract_user_from_token(&req) {
+        Ok(u) => u,
+        Err(resp) => return resp,
+    };
     let requested_keys = keys_request.into_inner().keys;
 
     if let Some(table_data) = state.store.get(&table_name) {
         let mut result: HashMap<String, VersionedValue> = HashMap::new();
         for key in requested_keys {
             if let Some(value) = table_data.get(&key) {
-                result.insert(key, value.clone());
+                if value.owner == user {
+                    result.insert(key, value.clone());
+                }
             }
         }
         HttpResponse::Ok().json(result)
@@ -837,8 +907,7 @@ pub async fn join_cluster(
     client: web::Data<reqwest::Client>,
     sem: web::Data<Arc<Semaphore>>,
 ) -> impl Responder {
-    let cluster_secret =
-        env::var("CLUSTER_SECRET").unwrap_or_else(|_| "default_secret".to_string());
+    let cluster_secret = get_cluster_secret();
 
     if request.secret != cluster_secret {
         return HttpResponse::Unauthorized().body("Invalid cluster secret");
@@ -881,7 +950,7 @@ pub async fn join_cluster(
     HttpResponse::Ok().json(nodes_guard.clone())
 }
 pub async fn get_global_store(req: HttpRequest, state: web::Data<AppState>) -> impl Responder {
-    let valid_api_key = env::var("CLUSTER_SECRET").unwrap_or_else(|_| "default_secret".to_string());
+    let valid_api_key = get_cluster_secret();
     match req.headers().get("x-api-key") {
         Some(header_value) => {
             if let Ok(api_key) = header_value.to_str() {
diff --git a/src/storage/subscription.rs b/src/storage/subscription.rs
index 0317826..b04ddbc 100644
--- a/src/storage/subscription.rs
+++ b/src/storage/subscription.rs
@@ -65,15 +65,58 @@ impl SubscriptionManager {
 }
 // storage/subscription.rs (continued)
 
-use actix_web::{web, HttpResponse, Responder};
-use crate::storage::engine::VersionedValue;
+use actix_web::{web, HttpRequest, HttpResponse, Responder};
+use jsonwebtoken::{decode, DecodingKey, Validation};
+use serde_json::json;
+use crate::storage::engine::{get_jwt_secret, is_safe_name, VersionedValue};
+
+#[derive(Debug, Serialize, Deserialize)]
+struct SubClaims {
+    sub: String,
+    exp: usize,
+}
+
+fn authenticate(req: &HttpRequest) -> Option<String> {
+    let auth = req.headers().get("Authorization")?.to_str().ok()?;
+    let token = auth.strip_prefix("Bearer ")?.trim();
+    decode::<SubClaims>(
+        token,
+        &DecodingKey::from_secret(get_jwt_secret().as_ref()),
+        &Validation::default(),
+    )
+    .ok()
+    .map(|d| d.claims.sub)
+}
 
 /// Subscribe to updates on a key. The URL contains the table and key.
 pub async fn subscribe_to_key(
+    req: HttpRequest,
     path: web::Path<(String, String)>,
+    state: web::Data<crate::storage::engine::AppState>,
     sub_manager: web::Data<SubscriptionManager>,
 ) -> impl Responder {
     let (table, key) = path.into_inner();
+    if !is_safe_name(&table) || !is_safe_name(&key) {
+        return HttpResponse::BadRequest().json(json!({"error": "Invalid table or key name"}));
+    }
+
+    let user = match authenticate(&req) {
+        Some(u) => u,
+        None => return HttpResponse::Unauthorized().json(json!({"error": "Invalid or missing token"})),
+    };
+
+    // Only allow subscribing to records owned by the caller. If the record
+    // does not exist yet we still allow it (the caller could be waiting for
+    // their own future writes), but if it exists and they are not the owner
+    // we deny — otherwise an attacker could stream another user's updates.
+    if let Some(table_db) = state.store.get(&table) {
+        if let Some(rec) = table_db.get(&key) {
+            if rec.owner != user {
+                return HttpResponse::Unauthorized()
+                    .json(json!({"error": "Not authorized to subscribe to this key"}));
+            }
+        }
+    }
 
     // Get a broadcast receiver for this key.
     let mut rx = sub_manager.subscribe(&table, &key).await;