diff --git a/backend/src/index.js b/backend/src/index.js
index 1df12b7..f2e4b83 100644
--- a/backend/src/index.js
+++ b/backend/src/index.js
@@ -1,4 +1,12 @@
 require('dotenv').config();
+
+// ============ SECURITY VALIDATION ============
+// Validate JWT_SECRET at startup
+if (!process.env.JWT_SECRET || process.env.JWT_SECRET.length < 32) {
+  console.error('JWT_SECRET must be at least 32 characters!');
+  process.exit(1);
+}
+
 const express = require('express');
 const cors = require('cors');
 const helmet = require('helmet');