Skip to content
Budgeti

Security Secrets

Mandatory checklist

Section titled “Mandatory checklist”
  • Never hardcode secrets in source code, tests, examples, or docs.
  • Never commit .env*, credential dumps, or provider tokens.
  • Store secrets only in platform-managed secret storage (Railway variables).
  • Rotate secrets on a fixed cadence and immediately after any leak.
  • Use least-privilege database users and scoped provider credentials.
  • Separate credentials across environments (dev/test/prod isolation).
  • Monitor and alert on failed auth bursts and provider abuse patterns.
  • Revoke and reissue exposed keys before re-deploy.

Runtime hardening

Section titled “Runtime hardening”
  • Keep JWT_SECRET strong and rotate regularly.
  • Keep BCRYPT_SALT_ROUNDS configured (default fallback exists but should be explicit in production).
  • Validate all input through Zod middleware before controller execution.
  • Keep rate limits active in production (globalLimiter, authLimiter).

Explicit no-hardcode examples

Section titled “Explicit no-hardcode examples”

Bad:

const OPENAI_API_KEY = "sk-live-...";

Good:

const OPENAI_API_KEY = process.env.OPENAI_API_KEY;

Incident response minimum

Section titled “Incident response minimum”
  1. Rotate affected secret.
  2. Invalidate active sessions if JWT secret is compromised.
  3. Audit recent deploys/logs for misuse.
  4. Ship post-incident changelog note.