- Do not commit secrets. Use
backend/.envlocally and secret managers in production. - Rotate
JWT_SECRETandDOCUMENTS_MASTER_KEY_BASE64on compromise. - Restrict admin access using MFA, strong passwords, and network controls.
- Keep dependencies updated and scan for vulnerabilities.