radziel/spotlightcam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3ff966defcd51e944aca613e492d5f750e5d440e
spotlightcam/backend/.env.production.example
Radosław Gierwiało 3ff966defc refactor: migrate to native Docker Compose profiles 
Simplified Docker Compose configuration by using native profiles
instead of override files, following best practices.

Changes:
- Consolidated docker-compose.yml with --profile dev/prod support
- Removed docker-compose.dev.yml and docker-compose.prod.yml
- Updated all documentation for new usage pattern
- Created comprehensive README.md and DEPLOYMENT.md
- Simplified commands: 'docker compose --profile dev up'

Environment-specific configurations:
- Development: relaxed security, hot reload, exposed ports
- Production: strict security, optimized builds, restricted access

This approach is cleaner, more maintainable, and follows Docker
Compose best practices.
2025-11-13 18:00:08 +01:00

70 lines
2.0 KiB
Plaintext
Raw Blame History

# Production Environment Configuration
# NEVER commit this file with real values!
# Use environment variables or secrets manager in production
# Server
NODE_ENV=production
PORT=3000
# CORS - Your production domains
CORS_ORIGIN=https://spotlight.cam,https://www.spotlight.cam
# Database - Use managed database or strong credentials
# NEVER use default passwords in production!
DATABASE_URL=postgresql://prod_user:STRONG_PASSWORD_HERE@db:5432/spotlightcam_prod
# JWT - CRITICAL: Generate strong secrets
# Generate with: openssl rand -base64 64
JWT_SECRET=CHANGE_THIS_TO_RANDOM_64_CHAR_STRING
JWT_EXPIRES_IN=24h
# AWS SES - Production credentials
# BEST PRACTICE: Use IAM roles instead of access keys
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=AKIASOH3DHHDA557Z5N7
AWS_SECRET_ACCESS_KEY=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
SES_FROM_EMAIL=noreply@spotlight.cam
SES_FROM_NAME=spotlight.cam
# Email Settings
FRONTEND_URL=https://spotlight.cam
VERIFICATION_TOKEN_EXPIRY=24h
# Security Settings - Production (strict)
RATE_LIMIT_ENABLED=true
RATE_LIMIT_WINDOW_MS=900000
RATE_LIMIT_MAX=100
RATE_LIMIT_AUTH_MAX=5
RATE_LIMIT_EMAIL_MAX=3
ENABLE_CSRF=true
BODY_SIZE_LIMIT=10kb
LOG_LEVEL=warn
# Password Policy - Enforced in production
PASSWORD_MIN_LENGTH=8
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_REQUIRE_LOWERCASE=true
PASSWORD_REQUIRE_NUMBER=true
PASSWORD_REQUIRE_SPECIAL=false
# Account Lockout - Enabled in production
ENABLE_ACCOUNT_LOCKOUT=true
MAX_LOGIN_ATTEMPTS=5
LOCKOUT_DURATION_MINUTES=15
# Database Connection Pool
DB_POOL_MIN=2
DB_POOL_MAX=10
# Monitoring (optional)
SENTRY_DSN=
NEW_RELIC_LICENSE_KEY=
# IMPORTANT SECURITY NOTES:
# 1. Generate JWT_SECRET with: openssl rand -base64 64
# 2. Use AWS IAM roles instead of access keys when possible
# 3. Use environment variables or secrets manager (AWS Secrets Manager, HashiCorp Vault)
# 4. Never commit .env files to version control
# 5. Rotate all secrets regularly (every 90 days)
# 6. Use strong database passwords (20+ characters, mixed case, numbers, symbols)
Reference in New Issue View Git Blame Copy Permalink