Will It Vibe?
SEC-014Critical severity-25 points

Hardcoded JWT secret

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.

What it detects

Signing/verifying JWTs with a literal string secret instead of an environment variable.

Why it matters

A JWT secret written in code signs every session token, and anyone who reads the repo can forge tokens for any user, including admins. Hardcoded literals also tend to be short and guessable. Rotating it later signs out every active session, so leaks here hurt twice.

How to fix it

Move the secret to an environment variable (JWT_SECRET), generate a long random value (32 bytes or more), and read it in both jwt.sign and jwt.verify. Fail at startup if it is unset rather than falling back to a default. Rotate the value, since the old literal remains in git history, and accept that existing tokens are invalidated.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks