Kyle Pope
a0b50a2b13
- Remove ineffective in-memory IP rate limiter from auth.py (F-01): nginx limit_req_zone handles real-IP throttling, DB lockout is the per-user guard - Block RFC 1918 + IPv6 ULA ranges in ntfy SSRF guard (F-02): prevents requests to Docker-internal services via user-controlled ntfy URL - Rate-limit /api/auth/setup at nginx with burst=3 (F-06) - Document production deployment checklist in .env.example (F-03/F-04/F-05) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
33 lines
1.2 KiB
Plaintext
33 lines
1.2 KiB
Plaintext
# Database
|
|
POSTGRES_USER=umbra
|
|
POSTGRES_PASSWORD=changeme_in_production
|
|
POSTGRES_DB=umbra
|
|
|
|
# Backend
|
|
DATABASE_URL=postgresql+asyncpg://umbra:changeme_in_production@db:5432/umbra
|
|
SECRET_KEY=change-this-to-a-random-secret-key-in-production
|
|
|
|
# Environment (development|production — controls Swagger/ReDoc visibility)
|
|
# ENVIRONMENT=development
|
|
|
|
# CORS allowed origins (comma-separated, default: http://localhost:5173)
|
|
# CORS_ORIGINS=http://localhost:5173
|
|
|
|
# Timezone (applied to backend + db containers via env_file)
|
|
TZ=Australia/Perth
|
|
|
|
# Session cookie security
|
|
# Set to true when serving over HTTPS. Required before any TLS deployment.
|
|
# COOKIE_SECURE=true
|
|
|
|
# Integrations
|
|
OPENWEATHERMAP_API_KEY=your-openweathermap-api-key
|
|
|
|
# Production security checklist (enable all before any non-internal deployment):
|
|
# 1. Set SECRET_KEY to output of: openssl rand -hex 32
|
|
# 2. Set POSTGRES_PASSWORD to a strong unique value
|
|
# 3. Set ENVIRONMENT=production (disables Swagger/ReDoc on backend:8000)
|
|
# 4. Set COOKIE_SECURE=true (requires TLS termination at nginx or upstream)
|
|
# 5. Add HSTS to nginx.conf: add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
|
# 6. Complete user_id migration (migration 026) before enabling multi-user accounts
|