fix(security): remove hardcoded default credentials from config files
- .env.example: replace weak default INITIAL_ADMIN_PASSWORD and AUTH_SECRET with instructive placeholders requiring manual generation - docker-compose.yml: parameterize POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB and DATABASE_URL via environment variables with local fallbacks
This commit is contained in:
+3
-2
@@ -1,8 +1,8 @@
|
||||
APP_URL=http://localhost
|
||||
DATABASE_URL=postgresql://ecommerce:ecommerce_password@db:5432/ecommerce
|
||||
AUTH_SECRET=dev-secret-change-in-production-32chars
|
||||
AUTH_SECRET=<generate-with-openssl-rand-hex-32>
|
||||
INITIAL_ADMIN_EMAIL=admin@example.com
|
||||
INITIAL_ADMIN_PASSWORD=Admin1234!test
|
||||
INITIAL_ADMIN_PASSWORD=<change-this-use-openssl-rand-base64-32>
|
||||
STRIPE_SECRET_KEY=sk_test_placeholder
|
||||
STRIPE_WEBHOOK_SECRET=whsec_placeholder
|
||||
SMTP_HOST=mailpit
|
||||
@@ -10,3 +10,4 @@ SMTP_PORT=1025
|
||||
SMTP_USER=
|
||||
SMTP_PASSWORD=
|
||||
SMTP_FROM=noreply@localhost
|
||||
POSTGRES_PASSWORD=ecommerce_password
|
||||
|
||||
Reference in New Issue
Block a user