security hardening + drafts/attachments

2026-02-21 19:10:56 -05:00
parent 1dc99eb681
commit a0105956e4
35 changed files with 4928 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@@ -0,0 +1,27 @@
+# Core
+DB_PASSWORD=mastermind
+DATABASE_URL=postgres://postgres:${DB_PASSWORD}@db:5432/mastermind
+
+# Public base URL (set to https://... when live)
+BASE_URL=http://100.101.78.42:3005
+
+# REQUIRED in production (>=24 chars). Generate with: openssl rand -base64 48
+SESSION_SECRET=change-this-to-a-long-random-string
+
+# If running behind a reverse proxy (Traefik/Nginx/Caddy), enable this so req.ip and secure cookies work
+TRUST_PROXY=true
+
+# If public site is HTTPS, set COOKIE_SECURE=true (or just make BASE_URL https://...)
+COOKIE_SECURE=false
+
+# One-time bootstrap local owner (only used if there are no local identities yet)
+BOOTSTRAP_OWNER_EMAIL=
+BOOTSTRAP_OWNER_PASSWORD=
+
+# Google OAuth (optional)
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
+# Microsoft OAuth (optional)
+MICROSOFT_CLIENT_ID=
+MICROSOFT_CLIENT_SECRET=