apply security audit

backend/src/config/environment.ts

@@ -55,7 +55,7 @@ const environment: EnvironmentConfig = {
     password: process.env.DB_PASSWORD || 'dev_password',
   },
   jwt: {
-    secret: process.env.JWT_SECRET || 'your-secret-key-change-in-production',
+    secret: process.env.JWT_SECRET || '',
     expiresIn: process.env.JWT_EXPIRES_IN || '24h',
   },
   cors: {
@@ -83,4 +83,31 @@ const environment: EnvironmentConfig = {
   },
 };
 
+function validateEnvironment(env: EnvironmentConfig): void {
+  const secret = env.jwt.secret;
+
+  if (!secret) {
+    throw new Error(
+      'FATAL: JWT_SECRET is not set. ' +
+      'Set a strong, random secret of at least 32 characters before starting the server.'
+    );
+  }
+
+  if (secret === 'your-secret-key-change-in-production') {
+    throw new Error(
+      'FATAL: JWT_SECRET is still set to the known weak default value. ' +
+      'Replace it with a strong, random secret of at least 32 characters.'
+    );
+  }
+
+  if (secret.length < 32) {
+    throw new Error(
+      `FATAL: JWT_SECRET is too short (${secret.length} characters). ` +
+      'A minimum of 32 characters is required.'
+    );
+  }
+}
+
+validateEnvironment(environment);
+
 export default environment;