📄️ Cybersecurity Best Practices
1. Don’t use an unhashed and unsalted JWT_SECRET which does not expire after the event ends. If an attacker can discover the secret they can forge jwt tokens. A jwt token usually contains information about the user. If that information includes the role (USER, ADMIN, or others), the attacker can change it to whatever they want. This can be harmful, but the damage can be kept under control if the next point is taken into consideration.