HSTS (Strict-Transport-Security) is now opt-in via FORCE_HTTPS=true. Without it enabled, no HSTS header is sent — safe for dev environments and enterprise deployments behind HTTP-only proxies without HTTPS certs. When FORCE_HTTPS=true, sends 'max-age=31536000; includeSubDomains'. Enterprise recommendation: set HSTS at nginx/ingress level instead. .env.example documents the risk: enabling without certs breaks site access.
22 lines
917 B
Plaintext
22 lines
917 B
Plaintext
# ── Required: Secrets ──
|
|
# Generate with: python -c "import secrets; print(secrets.token_urlsafe(32))"
|
|
AUTH_SECRET_KEY=change-me-to-a-random-secret
|
|
ENCRYPTION_KEY=change-me-to-a-fernet-key
|
|
|
|
# ── Required: Database ──
|
|
# PostgreSQL via docker-compose:
|
|
DATABASE_URL=postgresql+psycopg2://postgres:postgres@localhost:5432/ss_tools
|
|
AUTH_DATABASE_URL=postgresql+psycopg2://postgres:postgres@localhost:5432/ss_tools
|
|
TASKS_DATABASE_URL=postgresql+psycopg2://postgres:postgres@localhost:5432/ss_tools
|
|
|
|
# ── Optional ──
|
|
ALLOWED_ORIGINS=http://localhost:5173
|
|
SESSION_SECRET_KEY=change-me-to-a-random-secret
|
|
FEATURES__DATASET_REVIEW=true
|
|
FEATURES__HEALTH_MONITOR=true
|
|
APP_TIMEZONE=Europe/Moscow
|
|
|
|
# HSTS — включать только при настроенном HTTPS (nginx/ingress)
|
|
# Включение без сертификатов сломает доступ к сайту!
|
|
# FORCE_HTTPS=true
|