steve
bd3e66cd44
Content-Security-Policy: add header with default-src 'self', unsafe-inline for styles (needed for JS-generated inline style attrs), and data: for embedded logo/signature images. JSON body limit: reduce from 10mb to 2mb (logo cap is 512KB base64). Session maxAge: now configurable via SESSION_MAX_AGE_HOURS env var (default 168h / 7 days). Documented in .env.example. Password strength: centralize validation in auth.js and raise the bar to 10+ characters with at least one letter and one non-letter. Applied consistently to all four password-setting paths (initial setup, login change-password, admin create user, admin edit user).
8 lines
278 B
Bash
8 lines
278 B
Bash
# Copy to .env and fill in values before starting in production.
|
|
# Generate SESSION_SECRET with: openssl rand -hex 32
|
|
|
|
SESSION_SECRET=replace-with-a-random-64-character-hex-string
|
|
SESSION_MAX_AGE_HOURS=168 # default: 168 (7 days)
|
|
PORT=3000
|
|
DB_PATH=/app/data/check-printing.db
|