Kyle Pope
f372e7bd99
- Remove external backend port 8000 exposure (VULN-01) - Conditionally disable Swagger/ReDoc/OpenAPI in non-dev (VULN-01) - Suppress nginx and uvicorn server version headers (VULN-07) - Fix CSP to allow Google Fonts (fonts.googleapis.com/gstatic) (VULN-08) - Add nginx rate limiting on auth endpoints (10r/m burst=5) (VULN-09) - Block dotfile access (/.env, /.git) while preserving .well-known (VULN-10) - Make CORS origins configurable, tighten methods/headers (VULN-11) - Run both containers as non-root users (VULN-12) - Add IP rate limit + account lockout to /change-password Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
46 lines
1.3 KiB
Python
46 lines
1.3 KiB
Python
import sys
|
|
from pydantic_settings import BaseSettings, SettingsConfigDict
|
|
|
|
|
|
class Settings(BaseSettings):
|
|
DATABASE_URL: str = "postgresql+asyncpg://postgres:postgres@localhost:5432/umbra"
|
|
SECRET_KEY: str = "your-secret-key-change-in-production"
|
|
ENVIRONMENT: str = "development"
|
|
COOKIE_SECURE: bool = False
|
|
OPENWEATHERMAP_API_KEY: str = ""
|
|
|
|
# Session config
|
|
SESSION_MAX_AGE_DAYS: int = 30
|
|
|
|
# MFA token config (short-lived token bridging password OK → TOTP verification)
|
|
MFA_TOKEN_MAX_AGE_SECONDS: int = 300 # 5 minutes
|
|
|
|
# TOTP issuer name shown in authenticator apps
|
|
TOTP_ISSUER: str = "UMBRA"
|
|
|
|
# CORS allowed origins (comma-separated)
|
|
CORS_ORIGINS: str = "http://localhost:5173"
|
|
|
|
model_config = SettingsConfigDict(
|
|
env_file=".env",
|
|
env_file_encoding="utf-8",
|
|
case_sensitive=True
|
|
)
|
|
|
|
|
|
settings = Settings()
|
|
|
|
if settings.SECRET_KEY == "your-secret-key-change-in-production":
|
|
if settings.ENVIRONMENT != "development":
|
|
print(
|
|
"FATAL: Default SECRET_KEY detected in non-development environment. "
|
|
"Set a unique SECRET_KEY in .env immediately.",
|
|
file=sys.stderr,
|
|
)
|
|
sys.exit(1)
|
|
else:
|
|
print(
|
|
"WARNING: Using default SECRET_KEY. Set SECRET_KEY in .env for production.",
|
|
file=sys.stderr,
|
|
)
|