# Bootstrap App Environment Configuration # Copy this file to .env and update the values # ============================================================================= # CRITICAL SECURITY SETTINGS (REQUIRED) # ============================================================================= # These values MUST be set for the application to work # Use the scripts/generate-secrets.* scripts to generate secure values # JWT Secret for token signing (64+ characters, base64 encoded) JWT_SECRET=your-generated-jwt-secret-here # Application secrets (32 bytes, hex encoded) APP_SECRET=your-generated-app-secret-here APP_SECRET_CODE=your-generated-secret-code-here # AES-256 encryption key (exactly 32 characters, hex encoded) ENCRYPTION_KEY=your-generated-32-character-hex-key # ============================================================================= # CORE APPLICATION SETTINGS # ============================================================================= # Server port PORT=3000 # Database configuration DB_NAME=app.db # CORS configuration (comma-separated for multiple origins) CORS_ALLOWED_ORIGIN=http://localhost:5173,http://localhost:3000 # ============================================================================= # AUTHENTICATION & SECURITY # ============================================================================= # JWT token configuration JWT_ACCESS_TTL_HOURS=24 JWT_REFRESH_TTL_DAYS=7 JWT_ISSUER=omega-server # Password policy PASSWORD_MIN_LENGTH=8 MAX_LOGIN_ATTEMPTS=5 LOCKOUT_DURATION_MINUTES=30 # Rate limiting RATE_LIMIT_REQUESTS=100 RATE_LIMIT_WINDOW_MINUTES=1 # Session timeout SESSION_TIMEOUT_MINUTES=60 # ============================================================================= # DEFAULT ADMIN ACCOUNT # ============================================================================= # Default admin password (CHANGE THIS IMMEDIATELY AFTER FIRST LOGIN) DEFAULT_ADMIN_PASSWORD=change-this-password # ============================================================================= # LOGGING CONFIGURATION # ============================================================================= # Log level: DEBUG, INFO, WARN, ERROR, PANIC LOG_LEVEL=INFO # Enable debug mode (shows detailed error messages) DEBUG_MODE=false # Log retention in days LOG_RETENTION_DAYS=30 # ============================================================================= # ENVIRONMENT SETTINGS # ============================================================================= # Environment: development, staging, production GO_ENV=development # ============================================================================= # EMAIL CONFIGURATION (Optional) # ============================================================================= # SMTP settings for email notifications SMTP_HOST= SMTP_PORT=587 SMTP_USERNAME= SMTP_PASSWORD= SMTP_FROM_EMAIL=noreply@example.com SMTP_FROM_NAME=Bootstrap App # Enable TLS for SMTP SMTP_USE_TLS=true # ============================================================================= # FILE UPLOAD SETTINGS # ============================================================================= # Maximum file upload size in MB MAX_FILE_UPLOAD_SIZE_MB=10 # Allowed file extensions (comma-separated) ALLOWED_FILE_EXTENSIONS=jpg,jpeg,png,gif,pdf,doc,docx,txt # Upload directory UPLOAD_DIR=uploads # ============================================================================= # CACHE CONFIGURATION # ============================================================================= # Enable caching CACHE_ENABLED=true # Cache TTL in minutes CACHE_TTL_MINUTES=60 # ============================================================================= # API CONFIGURATION # ============================================================================= # API rate limiting per endpoint API_RATE_LIMIT_REQUESTS=1000 API_RATE_LIMIT_WINDOW_MINUTES=60 # API request timeout in seconds API_REQUEST_TIMEOUT_SECONDS=30 # ============================================================================= # MONITORING & HEALTH CHECKS # ============================================================================= # Enable health check endpoint HEALTH_CHECK_ENABLED=true # Health check interval in seconds HEALTH_CHECK_INTERVAL_SECONDS=30 # ============================================================================= # DEVELOPMENT SETTINGS # ============================================================================= # Enable request logging in development DEV_LOG_REQUESTS=true # Enable SQL query logging DEV_LOG_SQL_QUERIES=false # Enable detailed error responses DEV_DETAILED_ERRORS=true # ============================================================================= # SECURITY HEADERS # ============================================================================= # Content Security Policy CSP_POLICY=default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' # X-Frame-Options X_FRAME_OPTIONS=DENY # X-Content-Type-Options X_CONTENT_TYPE_OPTIONS=nosniff # Referrer Policy REFERRER_POLICY=strict-origin-when-cross-origin # ============================================================================= # BACKUP SETTINGS # ============================================================================= # Enable automatic database backups BACKUP_ENABLED=true # Backup interval in hours BACKUP_INTERVAL_HOURS=24 # Backup retention in days BACKUP_RETENTION_DAYS=7 # Backup directory BACKUP_DIR=backups # ============================================================================= # FEATURE FLAGS # ============================================================================= # Enable user registration ENABLE_USER_REGISTRATION=true # Enable email verification ENABLE_EMAIL_VERIFICATION=false # Enable two-factor authentication ENABLE_TWO_FACTOR_AUTH=false # Enable audit logging ENABLE_AUDIT_LOGGING=true # Enable security event logging ENABLE_SECURITY_EVENT_LOGGING=true # ============================================================================= # EXTERNAL SERVICES (Optional) # ============================================================================= # Redis configuration (if using Redis for caching/sessions) REDIS_HOST=localhost REDIS_PORT=6379 REDIS_PASSWORD= REDIS_DB=0 # External API keys EXTERNAL_API_KEY= EXTERNAL_API_SECRET= # ============================================================================= # NOTES # ============================================================================= # 1. Never commit this file with real secrets to version control # 2. Use the scripts/generate-secrets.* scripts to generate secure secrets # 3. Change the DEFAULT_ADMIN_PASSWORD immediately after first setup # 4. Review and adjust security settings based on your deployment environment # 5. Enable HTTPS in production and update CORS_ALLOWED_ORIGIN accordingly