-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathenv.example
More file actions
98 lines (87 loc) · 3.38 KB
/
Copy pathenv.example
File metadata and controls
98 lines (87 loc) · 3.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# Server Configuration
PORT=8080
SERVER_READ_TIMEOUT=10s
SERVER_WRITE_TIMEOUT=10s
SERVER_IDLE_TIMEOUT=60s
# Logging Configuration
LOG_LEVEL=INFO
LOG_FORMAT=json
# Database Configuration
DB_HOST=localhost
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=password
DB_NAME=strive
DB_SSL_MODE=disable
DB_MAX_CONNS=25
DB_MIN_CONNS=5
# JWT Configuration
# JWT_SECRET is REQUIRED and must be at least 32 characters long
# Generate a strong secret: openssl rand -base64 32
JWT_SECRET=
JWT_ISSUER=strive-api
JWT_AUDIENCE=strive-app
JWT_CLOCK_SKEW=2m
# Rate Limiting Configuration
RATE_LIMIT_ENABLED=true
RATE_LIMIT_AUTH_PER_MINUTE=5
RATE_LIMIT_GENERAL_PER_MINUTE=60
RATE_LIMIT_BURST_SIZE=10
# CORS Configuration
# Comma-separated list of allowed origins
CORS_ALLOWED_ORIGINS=http://localhost:3000,http://localhost:3001,http://localhost:4200,https://your-frontend-domain.com
# Comma-separated list of allowed methods
CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS
# Comma-separated list of allowed headers
CORS_ALLOWED_HEADERS=Accept,Authorization,Content-Type,X-Request-ID
# Comma-separated list of exposed headers
CORS_EXPOSED_HEADERS=X-Request-ID
# Allow credentials (true/false) - REQUIRED for cross-domain cookies
CORS_ALLOW_CREDENTIALS=true
# Max age for preflight requests in seconds
CORS_MAX_AGE=86400
# Cookie Configuration (for production deployment)
# Secure cookies (true/false) - set to true for HTTPS in production
COOKIE_SECURE=true
# SameSite attribute (None, Lax, Strict)
# Use "Strict" for production (maximum security)
# Use "None" for cross-site cookies (requires Secure=true and HTTPS)
# Use "Lax" for same-site cookies (default, recommended for most cases)
COOKIE_SAMESITE=Strict
# Cookie domain (empty for current domain, or specify domain like ".example.com")
# Leave empty for development, set to your domain for production
COOKIE_DOMAIN=
# Environment Configuration
# Set to 'production' for HTTPS cookies, leave empty for development
ENVIRONMENT=
# Security Headers Configuration
# HSTS max age in seconds (1 year = 31536000)
SECURITY_HSTS_MAX_AGE=31536000
# Include subdomains in HSTS (true/false)
SECURITY_HSTS_INCLUDE_SUBDOMAINS=true
# Content Security Policy directive
SECURITY_CSP_DIRECTIVE=default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'
# X-Frame-Options (DENY, SAMEORIGIN, ALLOW-FROM)
SECURITY_X_FRAME_OPTIONS=DENY
# X-Content-Type-Options (nosniff)
SECURITY_X_CONTENT_TYPE_OPTIONS=nosniff
# Referrer Policy (no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url)
SECURITY_REFERRER_POLICY=strict-origin-when-cross-origin
# X-XSS-Protection (0, 1, 1; mode=block)
SECURITY_XSS_PROTECTION=1; mode=block
# wger API Configuration
# Base URL for wger API
WGER_API_BASE_URL=https://wger.de/api/v2
# API key for wger API (optional, but recommended for higher rate limits)
WGER_API_KEY=
# Request timeout for wger API
WGER_API_TIMEOUT=30s
# Number of retry attempts for failed requests
WGER_API_RETRY_COUNT=3
# Enable/disable wger API integration
WGER_API_ENABLED=true
# Security Requirements:
# - JWT_SECRET must be at least 32 characters
# - Use a cryptographically secure random string
# - Never use default or weak secrets in production
# - Generate with: openssl rand -base64 32