Security Best Practices

• JWT Security – Use a strong JWT secret (32+ random bytes) and rotate it carefully.
• Token Management – Keep access tokens short‑lived (e.g., 15–60 minutes) and use refresh tokens for longer-lived sessions.
• Password Security – Store passwords hashed with modern algorithms like bcrypt or argon2; never store them in plain text.
• Route Protection – Limit public routes and require authentication for most endpoints.
• Database Access – Restrict database access through network policies and use least‑privilege credentials.
• SMTP Security – Use provider-scoped app passwords or credentials for SMTP rather than your account password.
• Audit Trails – Log admin actions and maintain audit trails to monitor changes.