diff --git a/server.js b/server.js
index dc5decaf..bd9e32da 100644
--- a/server.js
+++ b/server.js
@@ -83,10 +83,11 @@ function escapeHtml(str) {
 }
 
 // ── Auth: JWT config ────────────────────────────────────────────────
-const JWT_SECRET = process.env.JWT_SECRET || 'dev-secret-CHANGE-IN-PRODUCTION';
 if (!process.env.JWT_SECRET) {
-    console.error('[SECURITY] JWT_SECRET is not set. Using insecure default. Set JWT_SECRET env var in production!');
+    console.error('[SECURITY] JWT_SECRET env var is not set. Refusing to start.');
+    process.exit(1);
 }
+const JWT_SECRET = process.env.JWT_SECRET;
 const JWT_TTL_SECONDS = 30 * 24 * 60 * 60; // 30 days
 
 // WebAuthn relying party config (from env)