elpatron
e138752dd3
Add trust proxy, WebAuthn challenge TTL, stricter public collaboration rate limits, generic 500 responses, Docker POSTGRES_PASSWORD from env, nginx security headers/CSP, and deployment documentation. Co-authored-by: Cursor <cursoragent@cursor.com>
42 lines
1.5 KiB
Bash
Executable File
42 lines
1.5 KiB
Bash
Executable File
OpenWeatherMapAPIKey=<owm_api_key>
|
|
|
|
# DeepL API (for scripts/translate-locales.mjs and scripts/translate-flyer.mjs)
|
|
# Free plan keys use api-free.deepl.com automatically (suffix :fx)
|
|
DeepLAPIKey=
|
|
|
|
# Passkey configuration (WebAuthn Relying Party ID and Origin)
|
|
# For local dev: use localhost (NOT 127.0.0.1 — browsers reject IP addresses for Passkeys)
|
|
# Production (kapteins-daagbok.eu):
|
|
# RP_ID=kapteins-daagbok.eu
|
|
# ORIGIN=https://kapteins-daagbok.eu
|
|
RP_ID=localhost
|
|
# Must match the frontend URL exactly (Vite dev: http://localhost:5173; Docker: http://localhost)
|
|
ORIGIN=http://localhost:5173
|
|
|
|
# Behind Nginx Proxy Manager — see docs/deployment/npm-security.md
|
|
# TRUST_PROXY=172.16.10.10
|
|
# TRUST_PROXY=1
|
|
|
|
# Docker Compose database (required for production deploy)
|
|
# POSTGRES_USER=postgres
|
|
# POSTGRES_PASSWORD=
|
|
# POSTGRES_DB=daagbox
|
|
# Optional: comma-separated CORS origins (defaults to ORIGIN; 127.0.0.1 may be allowed for CORS but not for login)
|
|
# CORS_ORIGINS=http://localhost:5173
|
|
|
|
# API session signing (min. 32 chars; required in production)
|
|
# Generate: openssl rand -base64 48
|
|
SESSION_SECRET=
|
|
|
|
# Web Push (VAPID) — generate with: npx web-push generate-vapid-keys
|
|
# Public key may also be set on the client as VITE_VAPID_PUBLIC_KEY
|
|
VAPID_PUBLIC_KEY=
|
|
VAPID_PRIVATE_KEY=
|
|
VAPID_SUBJECT=mailto:support@kapteins-daagbok.eu
|
|
|
|
# Feedback via Ntfy (https://ntfy.sh or self-hosted)
|
|
# NTFY_TOPIC: topic name only (not the full URL)
|
|
NTFY_SERVER=https://ntfy.sh
|
|
NTFY_TOPIC=kapteins-daagbok-feedback
|
|
NTFY_TOKEN=tk_example_ntfy_access_token
|