Cryptography

Using ECB (Electronic Codebook) mode for encryption produces identical ciphertext blocks for identical plaintext blocks, revealing patterns in the encrypted data.

Using a hardcoded or constant Initialization Vector (IV) or nonce for encryption defeats the purpose of the IV and allows attackers to detect patterns and decrypt data.

Using cryptographic keys shorter than recommended minimums (RSA less than 2048 bits, AES less than 128 bits) makes encryption vulnerable to brute-force attacks with modern hardware.

Disabling TLS certificate validation with NODE_TLS_REJECT_UNAUTHORIZED=0 or rejectUnauthorized: false allows man-in-the-middle attacks on all HTTPS connections.

Using Math.random() or Date.now() to generate tokens, session IDs, or reset codes produces predictable values that attackers can guess or reproduce.

Accepting 'none' as a valid JWT signing algorithm lets attackers forge tokens without a secret key.

Embedding encryption keys as string literals in code means anyone with repo access can decrypt your data.