-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
72 lines (58 loc) · 2.68 KB
/
.env.example
File metadata and controls
72 lines (58 loc) · 2.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# VDV463 Validator - Environment Configuration
# Copy this file to .env and fill in the values
# NEVER commit .env to version control!
# ============================================================================
# REQUIRED - Security Credentials
# ============================================================================
# JWT Secret Key - MUST be at least 32 characters, random and unique
# Generate with: openssl rand -hex 32
JWT_SECRET_KEY=
# Legacy Basic Auth (optional, for backward compatibility)
# Format: username:password
AUTH_SECRET=
# Disable authentication entirely (e.g. for trusted internal networks / air-gapped deployments)
# Set to true to bypass login - all API endpoints become publicly accessible.
# WARNING: Never use this on internet-facing deployments!
DISABLE_AUTH=false
# ============================================================================
# OPTIONAL - Google OAuth
# ============================================================================
# Google OAuth Client ID for Gmail login
# Get from: https://console.cloud.google.com/apis/credentials
GOOGLE_CLIENT_ID=
# ============================================================================
# OPTIONAL - Email Configuration (for verification/password reset)
# ============================================================================
# SMTP server settings (e.g., for Gmail: smtp.gmail.com)
SMTP_HOST=
SMTP_PORT=587
SMTP_USER=
SMTP_PASSWORD=
# Application URL (used in email links)
# MUST use https:// for production
APP_URL=https://localhost
# ============================================================================
# SECURITY - CORS and Origins
# ============================================================================
# Allowed CORS origins (comma-separated)
# For production, only list your actual domain(s)
ALLOWED_ORIGINS=https://localhost
# ============================================================================
# PORTS (optional, default values shown)
# ============================================================================
HTTPS_PORT=443
HTTP_PORT=80
# ============================================================================
# SECURITY CHECKLIST
# ============================================================================
# Before deploying to production:
#
# [ ] Generate a strong, unique JWT_SECRET_KEY (32+ characters)
# [ ] Use real SSL certificates (Let's Encrypt or commercial CA)
# [ ] Set ALLOWED_ORIGINS to your actual domain only
# [ ] Configure SMTP for email verification
# [ ] Set APP_URL to your actual HTTPS domain
# [ ] Review and test rate limiting settings
# [ ] Enable firewall rules on your server
# [ ] Keep all dependencies updated
# [ ] Monitor logs for suspicious activity