Rather than accept user input for this (and correspondingly insecure secrets) we should generate a set of long, secure secrets and store them in a configuration file (or better, in the database).
They can then be removed as configurable options in the .env file.
The current server config requires 4 secrets for JWT decoding:
Rather than accept user input for this (and correspondingly insecure secrets) we should generate a set of long, secure secrets and store them in a configuration file (or better, in the database).
They can then be removed as configurable options in the
.env
file.