Skip to content

Comments

security: add startup security configuration verification#665

Open
mmcintosh wants to merge 1 commit intoSonicJs-Org:mainfrom
mmcintosh:hotfix/startup-security-verification-upstream
Open

security: add startup security configuration verification#665
mmcintosh wants to merge 1 commit intoSonicJs-Org:mainfrom
mmcintosh:hotfix/startup-security-verification-upstream

Conversation

@mmcintosh
Copy link
Contributor

@mmcintosh mmcintosh commented Feb 20, 2026

Security: Add Startup Security Configuration Verification

Summary

Validates security-critical environment variables (JWT_SECRET, CORS_ORIGINS, ENVIRONMENT) on first request. Logs warnings in development, throws a hard error in production when JWT_SECRET is missing or uses the default value.

Changes

1. Security Configuration Verification

  • New verifySecurityConfig() function in bootstrap middleware
  • Checks 3 security-critical env vars on first request per worker instance
  • Development: Logs [SonicJS Security] warnings to console
  • Production: Throws a hard error if JWT_SECRET is missing or still the default value

2. Verification Logic

Check Condition Development Production
JWT_SECRET not set Using hardcoded fallback warn throw
JWT_SECRET = default Tokens are forgeable warn throw
CORS_ORIGINS not set Cross-origin requests rejected warn warn
ENVIRONMENT not set HSTS header not applied warn warn

3. Unit Tests

  • 10 tests covering all combinations: all-good config, missing JWT, default JWT, missing CORS, missing ENVIRONMENT, multiple warnings, production throw on missing JWT, production throw on default JWT, production non-throw with proper JWT, development non-throw

Technical Details

File Change
packages/core/src/middleware/bootstrap.ts Added verifySecurityConfig(), extended Bindings type with security env vars, called after bootstrap completes (outside try/catch so production errors propagate)
packages/core/src/middleware/index.ts Export verifySecurityConfig
packages/core/src/__tests__/middleware/bootstrap-security.test.ts 10 unit tests

Testing

  • Unit Tests: 10/10 PASSED
  • All middleware tests: 65/65 PASSED (no regressions)
  • Build: PASSED

Performance Impact

None — runs once per worker instance, only string comparisons.

Breaking Changes

  • Production deployments without JWT_SECRET will fail on first request with a clear error message. This is intentional — preventing insecure deployments from running silently.

Migration Notes

  • Development: No action needed. Warnings appear in console but don't block the app.
  • Production: Ensure JWT_SECRET is set via wrangler secret put JWT_SECRET before deploying.
  • Recommended: Also set CORS_ORIGINS and ENVIRONMENT=production in wrangler.toml [vars].

Known Issues

None.

Related Issues

Implements the aspirational verifySecurityConfig() described in upstream security documentation.

Checklist

  • Code follows project coding standards
  • Tests added/updated and passing
  • Documentation updated
  • No breaking changes for development
  • Backward compatible

@mmcintosh
security: add startup security configuration verification
69ba0f8 
Validates security-critical environment variables (JWT_SECRET, CORS_ORIGINS,
ENVIRONMENT) on first request. Logs warnings in development, throws a hard
error in production when JWT_SECRET is missing or uses the default value.
Runs once per worker instance inside the bootstrap middleware.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mmcintosh