spotlightcam/backend/.env.production.example

# Production Environment Configuration
# NEVER commit this file with real values!
# Use environment variables or secrets manager in production

# Server
NODE_ENV=production
PORT=3000

# CORS - Your production domains
CORS_ORIGIN=https://spotlight.cam,https://www.spotlight.cam

# Database - Use managed database or strong credentials
# NEVER use default passwords in production!
DATABASE_URL=postgresql://prod_user:STRONG_PASSWORD_HERE@db:5432/spotlightcam_prod

# JWT - CRITICAL: Generate strong secrets
# Generate with: openssl rand -base64 64
JWT_SECRET=CHANGE_THIS_TO_RANDOM_64_CHAR_STRING
JWT_EXPIRES_IN=24h

# AWS SES - Production credentials
# BEST PRACTICE: Use IAM roles instead of access keys
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=AKIASOH3DHHDA557Z5N7
AWS_SECRET_ACCESS_KEY=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
SES_FROM_EMAIL=noreply@spotlight.cam
SES_FROM_NAME=spotlight.cam

# Email Settings
FRONTEND_URL=https://spotlight.cam
VERIFICATION_TOKEN_EXPIRY=24h

# Security Settings - Production (strict)
RATE_LIMIT_ENABLED=true
RATE_LIMIT_WINDOW_MS=900000
RATE_LIMIT_MAX=100
RATE_LIMIT_AUTH_MAX=5
RATE_LIMIT_EMAIL_MAX=3
ENABLE_CSRF=true
BODY_SIZE_LIMIT=10kb
LOG_LEVEL=warn

# Password Policy - Enforced in production
PASSWORD_MIN_LENGTH=8
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_REQUIRE_LOWERCASE=true
PASSWORD_REQUIRE_NUMBER=true
PASSWORD_REQUIRE_SPECIAL=false

# Account Lockout - Enabled in production
ENABLE_ACCOUNT_LOCKOUT=true
MAX_LOGIN_ATTEMPTS=5
LOCKOUT_DURATION_MINUTES=15

# Database Connection Pool
DB_POOL_MIN=2
DB_POOL_MAX=10

# Monitoring (optional)
SENTRY_DSN=
NEW_RELIC_LICENSE_KEY=

# IMPORTANT SECURITY NOTES:
# 1. Generate JWT_SECRET with: openssl rand -base64 64
# 2. Use AWS IAM roles instead of access keys when possible
# 3. Use environment variables or secrets manager (AWS Secrets Manager, HashiCorp Vault)
# 4. Never commit .env files to version control
# 5. Rotate all secrets regularly (every 90 days)
# 6. Use strong database passwords (20+ characters, mixed case, numbers, symbols)
security: implement CRITICAL and MEDIUM security fixes with environment profiles This commit addresses all CRITICAL and MEDIUM security vulnerabilities identified in the security audit with environment-aware configuration. ## Docker Compose Profiles - Added docker-compose.dev.yml for development (relaxed security) - Added docker-compose.prod.yml for production (strict security) - Environment-specific configurations for rate limiting, CSRF, logging ## CRITICAL Fixes (P0) 1. Fixed insecure random number generation - Replaced Math.random() with crypto.randomBytes() for verification codes - Now cryptographically secure 2. Implemented rate limiting - express-rate-limit for all endpoints - Strict limits on auth endpoints (5 attempts in dev=off, prod=5) - Email endpoint limits (20 in dev, 3 in prod) - API-wide rate limiting 3. Added request body size limits - Development: 50MB (for testing) - Production: 10KB (security) 4. Fixed user enumeration vulnerability - Generic error message for registration - No disclosure of which field exists 5. Added security headers - helmet.js with CSP, HSTS, XSS protection - No-sniff, hide powered-by headers ## MEDIUM Fixes (P1) 6. Strengthened password policy - Environment-aware validation (8+ chars) - Production: requires uppercase, lowercase, number - Development: relaxed for testing 7. Enhanced input validation - Validation for all auth endpoints - WSDC ID validation (numeric, max 10 digits) - Name validation (safe characters only) - Email normalization 8. Added input sanitization - DOMPurify for XSS prevention - Sanitize all user inputs in emails - Timing-safe string comparison for tokens 9. Improved error handling - Generic errors in production - Detailed errors only in development - Proper error logging 10. Enhanced CORS configuration - Whitelist-based origin validation - Environment-specific allowed origins - Credentials support ## New Files - backend/src/config/security.js - Environment-aware security config - backend/src/middleware/rateLimiter.js - Rate limiting middleware - backend/src/utils/sanitize.js - Input sanitization utilities - backend/.env.example - Development environment template - backend/.env.production.example - Production environment template - docker-compose.dev.yml - Development overrides - docker-compose.prod.yml - Production configuration - docs/DEPLOYMENT.md - Complete deployment guide - docs/SECURITY_AUDIT.md - Full security audit report - .gitignore - Updated to exclude .env files ## Dependencies Added - helmet (^8.1.0) - Security headers - express-rate-limit (^8.2.1) - Rate limiting - dompurify (^3.3.0) - XSS prevention - jsdom (^27.2.0) - DOM manipulation for sanitization ## Testing - ✅ Password validation works (weak passwords rejected) - ✅ User enumeration fixed (generic error messages) - ✅ WSDC lookup functional - ✅ Registration flow working - ✅ Rate limiting active (environment-aware) - ✅ Security headers present ## Usage Development: docker compose -f docker-compose.yml -f docker-compose.dev.yml up Production: docker compose -f docker-compose.yml -f docker-compose.prod.yml up See docs/DEPLOYMENT.md for detailed instructions. 2025-11-13 16:39:27 +01:00			`# Production Environment Configuration`
			`# NEVER commit this file with real values!`
			`# Use environment variables or secrets manager in production`

			`# Server`
			`NODE_ENV=production`
			`PORT=3000`

			`# CORS - Your production domains`
			`CORS_ORIGIN=https://spotlight.cam,https://www.spotlight.cam`

			`# Database - Use managed database or strong credentials`
			`# NEVER use default passwords in production!`
			`DATABASE_URL=postgresql://prod_user:STRONG_PASSWORD_HERE@db:5432/spotlightcam_prod`

			`# JWT - CRITICAL: Generate strong secrets`
			`# Generate with: openssl rand -base64 64`
			`JWT_SECRET=CHANGE_THIS_TO_RANDOM_64_CHAR_STRING`
			`JWT_EXPIRES_IN=24h`

			`# AWS SES - Production credentials`
			`# BEST PRACTICE: Use IAM roles instead of access keys`
			`AWS_REGION=us-east-1`
refactor: migrate to native Docker Compose profiles Simplified Docker Compose configuration by using native profiles instead of override files, following best practices. Changes: - Consolidated docker-compose.yml with --profile dev/prod support - Removed docker-compose.dev.yml and docker-compose.prod.yml - Updated all documentation for new usage pattern - Created comprehensive README.md and DEPLOYMENT.md - Simplified commands: 'docker compose --profile dev up' Environment-specific configurations: - Development: relaxed security, hot reload, exposed ports - Production: strict security, optimized builds, restricted access This approach is cleaner, more maintainable, and follows Docker Compose best practices. 2025-11-13 18:00:08 +01:00			`AWS_ACCESS_KEY_ID=AKIASOH3DHHDA557Z5N7`
			`AWS_SECRET_ACCESS_KEY=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`
security: implement CRITICAL and MEDIUM security fixes with environment profiles This commit addresses all CRITICAL and MEDIUM security vulnerabilities identified in the security audit with environment-aware configuration. ## Docker Compose Profiles - Added docker-compose.dev.yml for development (relaxed security) - Added docker-compose.prod.yml for production (strict security) - Environment-specific configurations for rate limiting, CSRF, logging ## CRITICAL Fixes (P0) 1. Fixed insecure random number generation - Replaced Math.random() with crypto.randomBytes() for verification codes - Now cryptographically secure 2. Implemented rate limiting - express-rate-limit for all endpoints - Strict limits on auth endpoints (5 attempts in dev=off, prod=5) - Email endpoint limits (20 in dev, 3 in prod) - API-wide rate limiting 3. Added request body size limits - Development: 50MB (for testing) - Production: 10KB (security) 4. Fixed user enumeration vulnerability - Generic error message for registration - No disclosure of which field exists 5. Added security headers - helmet.js with CSP, HSTS, XSS protection - No-sniff, hide powered-by headers ## MEDIUM Fixes (P1) 6. Strengthened password policy - Environment-aware validation (8+ chars) - Production: requires uppercase, lowercase, number - Development: relaxed for testing 7. Enhanced input validation - Validation for all auth endpoints - WSDC ID validation (numeric, max 10 digits) - Name validation (safe characters only) - Email normalization 8. Added input sanitization - DOMPurify for XSS prevention - Sanitize all user inputs in emails - Timing-safe string comparison for tokens 9. Improved error handling - Generic errors in production - Detailed errors only in development - Proper error logging 10. Enhanced CORS configuration - Whitelist-based origin validation - Environment-specific allowed origins - Credentials support ## New Files - backend/src/config/security.js - Environment-aware security config - backend/src/middleware/rateLimiter.js - Rate limiting middleware - backend/src/utils/sanitize.js - Input sanitization utilities - backend/.env.example - Development environment template - backend/.env.production.example - Production environment template - docker-compose.dev.yml - Development overrides - docker-compose.prod.yml - Production configuration - docs/DEPLOYMENT.md - Complete deployment guide - docs/SECURITY_AUDIT.md - Full security audit report - .gitignore - Updated to exclude .env files ## Dependencies Added - helmet (^8.1.0) - Security headers - express-rate-limit (^8.2.1) - Rate limiting - dompurify (^3.3.0) - XSS prevention - jsdom (^27.2.0) - DOM manipulation for sanitization ## Testing - ✅ Password validation works (weak passwords rejected) - ✅ User enumeration fixed (generic error messages) - ✅ WSDC lookup functional - ✅ Registration flow working - ✅ Rate limiting active (environment-aware) - ✅ Security headers present ## Usage Development: docker compose -f docker-compose.yml -f docker-compose.dev.yml up Production: docker compose -f docker-compose.yml -f docker-compose.prod.yml up See docs/DEPLOYMENT.md for detailed instructions. 2025-11-13 16:39:27 +01:00			`SES_FROM_EMAIL=noreply@spotlight.cam`
			`SES_FROM_NAME=spotlight.cam`

			`# Email Settings`
			`FRONTEND_URL=https://spotlight.cam`
			`VERIFICATION_TOKEN_EXPIRY=24h`

			`# Security Settings - Production (strict)`
			`RATE_LIMIT_ENABLED=true`
			`RATE_LIMIT_WINDOW_MS=900000`
			`RATE_LIMIT_MAX=100`
			`RATE_LIMIT_AUTH_MAX=5`
			`RATE_LIMIT_EMAIL_MAX=3`
			`ENABLE_CSRF=true`
			`BODY_SIZE_LIMIT=10kb`
			`LOG_LEVEL=warn`

			`# Password Policy - Enforced in production`
			`PASSWORD_MIN_LENGTH=8`
			`PASSWORD_REQUIRE_UPPERCASE=true`
			`PASSWORD_REQUIRE_LOWERCASE=true`
			`PASSWORD_REQUIRE_NUMBER=true`
			`PASSWORD_REQUIRE_SPECIAL=false`

			`# Account Lockout - Enabled in production`
			`ENABLE_ACCOUNT_LOCKOUT=true`
			`MAX_LOGIN_ATTEMPTS=5`
			`LOCKOUT_DURATION_MINUTES=15`

			`# Database Connection Pool`
			`DB_POOL_MIN=2`
			`DB_POOL_MAX=10`

			`# Monitoring (optional)`
			`SENTRY_DSN=`
			`NEW_RELIC_LICENSE_KEY=`

			`# IMPORTANT SECURITY NOTES:`
			`# 1. Generate JWT_SECRET with: openssl rand -base64 64`
			`# 2. Use AWS IAM roles instead of access keys when possible`
			`# 3. Use environment variables or secrets manager (AWS Secrets Manager, HashiCorp Vault)`
			`# 4. Never commit .env files to version control`
			`# 5. Rotate all secrets regularly (every 90 days)`
			`# 6. Use strong database passwords (20+ characters, mixed case, numbers, symbols)`