Security is one of the most important aspects of any application, and you should consider the following when choosing a security mechanism:

• For most use cases, JWT authentication will be sufficient, so stick to that if you are not sure
• If you want single-sign-on capabilities in your application, use OAuth 2.0/OIDC rather than trying to make JWT or session authentication work as an SSO solution
• If you already have Keycloak or Okta set up in your company, choose OAuth 2.0/OIDC and connect to it
• Choose session-based authentication only if you want a stateful authentication
• Do not open up CORS unless you have to
• Use Spring Security to add authorization logic to your API endpoints and services
• Remove all secrets from the application-prod.yml file and use placeholders to inject values from the command line or environment variables. Never put any secrets or passwords in code or config files
• Change the generated JWT secrets for production

Refer to https://www.jhipster.tech/security/ for more about security in JHipster.