From d661a4aa4fd85ff442c9ab705815a423271deb96 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 1 Apr 2026 16:23:47 +0000
Subject: [PATCH 1/2] Initial plan


From 8fede6bdf47de12410ee2a3dd337d6cd3f422486 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 1 Apr 2026 16:34:24 +0000
Subject: [PATCH 2/2] fix: remove insecure defaults and enforce required
 secrets in docker-compose

Agent-Logs-Url: https://github.com/MaximumTrainer/OpenDataMask/sessions/b86975ae-049e-4ba2-a2d0-27b26f3e7273

Co-authored-by: MaximumTrainer <1376575+MaximumTrainer@users.noreply.github.com>
---
 .../com/opendatamask/config/StartupSecurityValidator.kt  | 3 ++-
 .../opendatamask/config/StartupSecurityValidatorTest.kt  | 9 +++++++++
 docker-compose.yml                                       | 4 ++--
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/backend/src/main/kotlin/com/opendatamask/config/StartupSecurityValidator.kt b/backend/src/main/kotlin/com/opendatamask/config/StartupSecurityValidator.kt
index e220ce5..393921a 100644
--- a/backend/src/main/kotlin/com/opendatamask/config/StartupSecurityValidator.kt
+++ b/backend/src/main/kotlin/com/opendatamask/config/StartupSecurityValidator.kt
@@ -11,7 +11,8 @@ private val INSECURE_JWT_DEFAULTS = setOf(
 )
 
 private val INSECURE_ENCRYPTION_DEFAULTS = setOf(
-    "0123456789abcdef"
+    "0123456789abcdef",
+    "change-this-16-char-key-for-prod"
 )
 
 @Component
diff --git a/backend/src/test/kotlin/com/opendatamask/config/StartupSecurityValidatorTest.kt b/backend/src/test/kotlin/com/opendatamask/config/StartupSecurityValidatorTest.kt
index 8924805..31bdf1f 100644
--- a/backend/src/test/kotlin/com/opendatamask/config/StartupSecurityValidatorTest.kt
+++ b/backend/src/test/kotlin/com/opendatamask/config/StartupSecurityValidatorTest.kt
@@ -48,4 +48,13 @@ class StartupSecurityValidatorTest {
         )
         assertThrows<IllegalStateException> { validator.validate() }
     }
+
+    @Test
+    fun `validate throws when ENCRYPTION_KEY is the docker-compose fallback default`() {
+        val validator = createValidator(
+            jwtSecret = "secure-jwt-secret",
+            encryptionKey = "change-this-16-char-key-for-prod"
+        )
+        assertThrows<IllegalStateException> { validator.validate() }
+    }
 }
diff --git a/docker-compose.yml b/docker-compose.yml
index c9c773e..71ba3d0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,8 +27,8 @@ services:
       DATABASE_URL: jdbc:postgresql://postgres:5432/opendatamask
       DATABASE_USERNAME: opendatamask
       DATABASE_PASSWORD: opendatamask
-      JWT_SECRET: ${JWT_SECRET:-change-this-secret-in-production-must-be-at-least-256-bits-long}
-      ENCRYPTION_KEY: ${ENCRYPTION_KEY:-change-this-16-char-key-for-prod}
+      JWT_SECRET: ${JWT_SECRET:?JWT_SECRET must be set (generate with: openssl rand -base64 32)}
+      ENCRYPTION_KEY: ${ENCRYPTION_KEY:?ENCRYPTION_KEY must be set (generate with: openssl rand -base64 32)}
       SERVER_PORT: 8080
     depends_on:
       postgres: