diff --git a/packages/backend/src/auth/utils.ts b/packages/backend/src/auth/utils.ts
index 6a40067..e2f4686 100644
--- a/packages/backend/src/auth/utils.ts
+++ b/packages/backend/src/auth/utils.ts
@@ -2,12 +2,16 @@ import bcrypt from "bcrypt";
 import * as jwt from "jsonwebtoken";
 
 const JWT_EXPIRES_IN = (process.env.JWT_EXPIRES_IN ?? "7d") as jwt.SignOptions["expiresIn"];
+const JWT_ALGORITHM = "HS256";
 
 const requireJwtSecret = () => {
     const secret = process.env.JWT_SECRET;
     if (!secret) {
         throw new Error("JWT_SECRET is required");
     }
+    if (secret.length < 32) {
+        throw new Error("JWT_SECRET must be at least 32 characters");
+    }
     return secret;
 };
 
@@ -17,10 +21,15 @@ export const verifyPassword = (password: string, hash: string) => bcrypt.compare
 
 export const generateToken = (userId: number) => {
     const secret = requireJwtSecret();
-    return jwt.sign({ userId }, secret, { expiresIn: JWT_EXPIRES_IN });
+    return jwt.sign({ userId }, secret, {
+        expiresIn: JWT_EXPIRES_IN,
+        algorithm: JWT_ALGORITHM,
+    });
 };
 
 export const verifyToken = (token: string) => {
     const secret = requireJwtSecret();
-    return jwt.verify(token, secret) as { userId: number };
+    return jwt.verify(token, secret, {
+        algorithms: [JWT_ALGORITHM],
+    }) as { userId: number };
 };