mirror of
https://github.com/complexcaresolutions/cms.c2sgmbh.git
synced 2026-03-17 19:44:12 +00:00
Martin Porwoll
e3987e50dc
- Hardened cron endpoints with coordination and auth improvements - Added API guards and input validation layer - Security observability and secrets health checks - Monitoring types and service improvements - PDF URL validation and newsletter unsubscribe security - Unit tests for security-critical paths Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
72 lines
2 KiB
Text
72 lines
2 KiB
Text
# Datenbank (PostgreSQL via PgBouncer)
|
|
DATABASE_URI=postgresql://payload:YOUR_PASSWORD@127.0.0.1:6432/payload_db
|
|
PAYLOAD_SECRET=YOUR_SECRET_HERE
|
|
PAYLOAD_PUBLIC_SERVER_URL=http://localhost:3000
|
|
NEXT_PUBLIC_SERVER_URL=http://localhost:3000
|
|
NODE_ENV=development
|
|
PORT=3000
|
|
|
|
# E-Mail (Global Fallback)
|
|
SMTP_HOST=smtp.example.com
|
|
SMTP_PORT=587
|
|
SMTP_SECURE=false
|
|
SMTP_USER=user@example.com
|
|
SMTP_PASS=your-password
|
|
SMTP_FROM_ADDRESS=noreply@example.com
|
|
SMTP_FROM_NAME=Payload CMS
|
|
|
|
# Redis Cache (optional, In-Memory-Fallback)
|
|
REDIS_URL=redis://localhost:6379
|
|
|
|
# Security
|
|
CSRF_SECRET=your-csrf-secret
|
|
TRUST_PROXY=true
|
|
BLOCKED_IPS=
|
|
SEND_EMAIL_ALLOWED_IPS=
|
|
GENERATE_PDF_ALLOWED_IPS=
|
|
ADMIN_ALLOWED_IPS=
|
|
WEBHOOK_ALLOWED_IPS=
|
|
|
|
# YouTube OAuth (optional)
|
|
GOOGLE_CLIENT_ID=your-client-id
|
|
GOOGLE_CLIENT_SECRET=your-client-secret
|
|
YOUTUBE_REDIRECT_URI=http://localhost:3000/api/youtube/callback
|
|
|
|
# Meta OAuth (optional)
|
|
META_APP_ID=your-app-id
|
|
META_APP_SECRET=your-app-secret
|
|
META_REDIRECT_URI=http://localhost:3000/api/auth/meta/callback
|
|
|
|
# Cron Jobs (required in production)
|
|
CRON_SECRET=your-64-char-hex
|
|
CRON_LOCK_TTL_MS=600000
|
|
CRON_IDEMPOTENCY_TTL_MS=900000
|
|
|
|
# PDF Security
|
|
PDF_ALLOWED_HOSTS=example.com,.example.com
|
|
# Nur in non-production und nur falls zwingend notwendig aktivieren:
|
|
PDF_ALLOW_HTTP_URLS=false
|
|
|
|
# Scheduler
|
|
# In Production standardmäßig deaktiviert, um Doppel-Ausführungen in Multi-Instance-Deployments zu vermeiden
|
|
ENABLE_IN_PROCESS_SCHEDULER=false
|
|
SCHEDULER_MODE=external
|
|
|
|
# Security Observability
|
|
SECURITY_METRICS_WINDOW_MS=300000
|
|
SECURITY_ALERT_COOLDOWN_MS=900000
|
|
SECURITY_ALERT_THRESHOLD_DEFAULT=25
|
|
SECURITY_ALERT_THRESHOLD_CRON_AUTH_REJECTED=10
|
|
SECURITY_ALERT_THRESHOLD_PDF_SSRF_BLOCKED=5
|
|
SECURITY_ALERT_THRESHOLD_RATE_LIMIT_BLOCKED=50
|
|
|
|
# Secret Lifecycle Monitoring
|
|
SECRET_EXPIRY_WARNING_DAYS=14
|
|
SECRET_ROTATION_MAX_DAYS=90
|
|
PAYLOAD_SECRET_ROTATED_AT=2026-02-01T00:00:00Z
|
|
PAYLOAD_SECRET_EXPIRES_AT=2026-08-01T00:00:00Z
|
|
CRON_SECRET_ROTATED_AT=2026-02-01T00:00:00Z
|
|
CRON_SECRET_EXPIRES_AT=2026-08-01T00:00:00Z
|
|
|
|
# Tests
|
|
EMAIL_DELIVERY_DISABLED=false
|