This repository is an enterprise engineering starter, not a certification of production security.
Before launch:
- Replace
JWT_SECRETwith a high-entropy secret stored outside source control. - Set
REQUIRE_EMAIL_VERIFICATION=truewhen account verification is required. - Configure exact CORS origins; do not use wildcards with credentials.
- Terminate TLS at a trusted ingress or reverse proxy.
- Use managed PostgreSQL and Redis with private networking and encryption.
- Replace the mock payment flow with a PCI-compliant provider and signed webhooks.
- Never store card numbers, CVV values or raw payment credentials.
- Add secret rotation, dependency scanning, SAST/DAST and container scanning.
- Add object-level authorization tests for every customer-owned resource.
- Retain audit records according to business and legal requirements.
- Add privacy, tax, consumer-protection and data-retention reviews for each deployment jurisdiction.
Report security concerns privately to the repository owner rather than opening a public issue containing exploit details.