security improvements

.env.example

@@ -0,0 +1,67 @@
+# ACC Server Manager Environment Configuration
+# Copy this file to .env and update with your actual values
+
+# =============================================================================
+# CRITICAL SECURITY SETTINGS (REQUIRED)
+# =============================================================================
+
+# JWT Secret Key - MUST be changed in production
+# Generate with: openssl rand -base64 64
+JWT_SECRET=your-super-secure-jwt-secret-key-minimum-32-chars-long-change-this-in-production
+
+# Application Secrets - MUST be changed in production
+# Generate with: openssl rand -hex 32
+APP_SECRET=your-super-secure-app-secret-change-this-in-production
+APP_SECRET_CODE=your-super-secure-app-secret-code-change-this-in-production
+
+# Encryption Key for sensitive data (MUST be exactly 32 characters for AES-256)
+# Generate with: openssl rand -hex 16
+ENCRYPTION_KEY=your-32-character-encryption-key-here
+
+# =============================================================================
+# CORE APPLICATION SETTINGS
+# =============================================================================
+
+# Database file name (SQLite)
+DB_NAME=acc.db
+
+# Server port
+PORT=3000
+
+# CORS allowed origin (use specific domains in production)
+CORS_ALLOWED_ORIGIN=http://localhost:5173
+
+# Default admin password for initial setup (change after first login)
+PASSWORD=change-this-default-admin-password
+
+# =============================================================================
+# INSTRUCTIONS FOR PRODUCTION DEPLOYMENT
+# =============================================================================
+
+# 1. Generate secure secrets:
+#    - JWT_SECRET: openssl rand -base64 64
+#    - APP_SECRET: openssl rand -hex 32
+#    - APP_SECRET_CODE: openssl rand -hex 32
+#    - ENCRYPTION_KEY: openssl rand -hex 16
+
+# 2. Set appropriate CORS origins for your domain
+
+# 3. Change the default PASSWORD immediately after first login
+
+# 4. NEVER commit actual secrets to version control!
+
+# =============================================================================
+# OPTIONAL SETTINGS (These are handled by system config in database)
+# =============================================================================
+
+# The following settings are managed through the application's system config
+# and stored in the database. They are listed here for reference only:
+#
+# - SteamCMD path (configured via web interface)
+# - NSSM path (configured via web interface)
+# - Logging settings (handled by application defaults)
+# - Rate limiting (handled by application defaults)
+# - Backup settings (handled by application defaults)
+# - Monitoring settings (handled by application defaults)
+#
+# These can be configured through the web interface after installation.