-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
79 lines (65 loc) · 2.71 KB
/
.env.example
File metadata and controls
79 lines (65 loc) · 2.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# Database configuration
DB_DRIVER=postgres
# ⚠️ SECURITY WARNING: sslmode=disable is for DEVELOPMENT ONLY
# Production MUST use sslmode=require or sslmode=verify-full
# See docs/operations/security-hardening.md for guidance
DB_CONNECTION_STRING=postgres://user:password@localhost:5432/mydb?sslmode=disable
DB_MAX_OPEN_CONNECTIONS=25
DB_MAX_IDLE_CONNECTIONS=5
DB_CONN_MAX_LIFETIME_MINUTES=5
DB_CONN_MAX_IDLE_TIME_MINUTES=5
# Server configuration
SERVER_HOST=0.0.0.0
SERVER_PORT=8080
SERVER_SHUTDOWN_TIMEOUT_SECONDS=10
# HTTP server timeout configuration (in seconds)
# Read timeout: maximum duration for reading the entire request, including the body
SERVER_READ_TIMEOUT_SECONDS=15
# Write timeout: maximum duration before timing out writes of the response
SERVER_WRITE_TIMEOUT_SECONDS=15
# Idle timeout: maximum time to wait for the next request when keep-alives are enabled
SERVER_IDLE_TIMEOUT_SECONDS=60
# Logging
LOG_LEVEL=info
# Metrics configuration
METRICS_ENABLED=true
METRICS_NAMESPACE=secrets
METRICS_PORT=8081
# Metrics server timeout configuration (in seconds)
# Read timeout: maximum duration for reading the entire request, including the body
METRICS_SERVER_READ_TIMEOUT_SECONDS=15
# Write timeout: maximum duration before timing out writes of the response
METRICS_SERVER_WRITE_TIMEOUT_SECONDS=15
# Idle timeout: maximum time to wait for the next request when keep-alives are enabled
METRICS_SERVER_IDLE_TIMEOUT_SECONDS=60
# ...
# Authentication configuration
# Token expiration in seconds (default: 14400 = 4 hours)
# Migration note: Prior to v0.5.0, default was 86400 (24 hours)
AUTH_TOKEN_EXPIRATION_SECONDS=14400
# Rate limiting configuration (authenticated endpoints)
# Protects against abuse and denial-of-service attacks on authenticated routes
RATE_LIMIT_ENABLED=true
RATE_LIMIT_REQUESTS_PER_SEC=10.0
RATE_LIMIT_BURST=20
# Token endpoint rate limiting (IP-based, unauthenticated)
# Applies to POST /v1/token endpoint to prevent credential stuffing and brute force attacks
# Stricter limits recommended as this endpoint is unauthenticated and commonly targeted
RATE_LIMIT_TOKEN_ENABLED=true
RATE_LIMIT_TOKEN_REQUESTS_PER_SEC=5.0
RATE_LIMIT_TOKEN_BURST=10
# Account Lockout
LOCKOUT_MAX_ATTEMPTS=10
LOCKOUT_DURATION_MINUTES=30
# Secret value size limit
# Maximum size allowed for a secret value in bytes (default: 524288 = 512 KB)
SECRET_VALUE_SIZE_LIMIT_BYTES=524288
# Tokenization batch limit
# Maximum number of items in a batch tokenization request (default: 100)
TOKENIZATION_BATCH_LIMIT=100
# CORS configuration
# ⚠️ SECURITY WARNING: CORS is disabled by default for server-to-server API
# Enable only if browser-based access is required
# Never use "*" for CORS_ALLOW_ORIGINS in production
CORS_ENABLED=false
CORS_ALLOW_ORIGINS=