Replies: 1 comment 1 reply
-
|
True, but it is currently acceptable for the state of the API. Bearing in mind that if you are using Netlify or similar you can store the environment variables in their secure systems anyway. If a bad actor has access to your server, the JWT secret is only the start of your problem 🤷♂️ I'll convert this issue into a discussion for now and when the project is more advanced we can look at integrating it. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @seapagan, this options should be configurable as well. Depending on the cloud provider they have their own solution for Key Management Service. But for the ones not using cloud provider this option would enhance greatly the security. A very common case is the leak of the secret, so, any option to mitigate that by default, is a good effort. |
Beta Was this translation helpful? Give feedback.
-
Is your feature request related to a problem? Please describe.
Storing JWT encryption key on a server, it's not the most secure option. Using a Key Management engine, makes it safer for production setting.
Describe the solution you'd like
Use Hashicorp Vault integration for DB credentials (with auto-rotating), JWT secrets, etc.
Beta Was this translation helpful? Give feedback.
All reactions