Insecure Defaults in Configuration

[MaximumTrainer]

Gap

application.yml ships with hard-coded insecure default values for:

• opendatamask.jwt.secret — a default string used for JWT signing. If not overridden, any token can be forged.
• opendatamask.encryption.key — a default 16-character AES key for encrypting connection passwords.

While the README warns users to change these, the application starts without errors using insecure defaults.

Affected files:

• backend/src/main/resources/application.yml

Required Work

• Fail application startup when JWT_SECRET or ENCRYPTION_KEY environment variables are not explicitly set (or at minimum, when running in a non-development profile).
• Remove insecure defaults from committed configuration files.
• Document secure key generation in the README (e.g. openssl rand -base64 32).