9cd0da0046
CRITICAL fixes: - Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002) - IDOR on analytics endpoint — ownership check enforced (CRITICAL-003) - CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004) - Mass assignment on user self-update — strip privileged fields (CRITICAL-005) HIGH fixes: - Path traversal in marketplace upload — UUID filenames (HIGH-001) - IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002) - Popularity metrics (followers, likes) set to json:"-" (HIGH-003) - bcrypt cost hardened to 12 everywhere (HIGH-004) - Refresh token lock made mandatory (HIGH-005) - Stream token replay prevention with access_count (HIGH-006) - Subscription trial race condition fixed (HIGH-007) - License download expiration check (HIGH-008) - Webhook amount validation (HIGH-009) - pprof endpoint removed from production (HIGH-010) MEDIUM fixes: - WebSocket message size limit 64KB (MEDIUM-010) - HSTS header in nginx production (MEDIUM-001) - CORS origin restricted in nginx-rtmp (MEDIUM-002) - Docker alpine pinned to 3.21 (MEDIUM-003/004) - Redis authentication enforced (MEDIUM-005) - GDPR account deletion expanded (MEDIUM-006) - .gitignore hardened (MEDIUM-007) LOW/INFO fixes: - GitHub Actions SHA pinning on all workflows (LOW-001) - .env.example security documentation (INFO-001) - Production CORS set to HTTPS (LOW-002) All tests pass. Go and Rust compile clean. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
103 lines
3.4 KiB
Text
103 lines
3.4 KiB
Text
# =============================================================================
|
|
# VEZA BACKEND API - PRODUCTION CONFIGURATION
|
|
# =============================================================================
|
|
# ⚠️ IMPORTANT: Ce fichier est un TEMPLATE
|
|
# Les valeurs ${VAR} doivent être injectées par l'orchestrateur (K8s, Docker, etc.)
|
|
# Ne JAMAIS committer de secrets en clair dans ce fichier
|
|
# =============================================================================
|
|
|
|
# --- ENVIRONNEMENT ---
|
|
APP_ENV=production
|
|
APP_PORT=8080
|
|
LOG_LEVEL=info
|
|
|
|
# --- BASE DE DONNÉES ---
|
|
# Injecté par orchestrateur (ex: K8s Secret, Docker Compose environment)
|
|
DATABASE_URL=${DATABASE_URL}
|
|
DATABASE_MAX_OPEN_CONNS=25
|
|
DATABASE_MAX_IDLE_CONNS=5
|
|
DATABASE_CONN_MAX_LIFETIME=5m
|
|
|
|
# --- JWT & SÉCURITÉ ---
|
|
# ⚠️ CRITIQUE: Injecté par AWS Secrets Manager / HashiCorp Vault
|
|
# Ne JAMAIS utiliser la valeur de dev en production
|
|
JWT_SECRET=${JWT_SECRET}
|
|
JWT_ISSUER=veza-api
|
|
JWT_AUDIENCE=veza-app
|
|
JWT_ACCESS_TOKEN_DURATION=15m
|
|
JWT_REFRESH_TOKEN_DURATION=30d
|
|
|
|
# --- COOKIES (PRODUCTION) ---
|
|
# CRITIQUE: Secure cookies obligatoires en production
|
|
COOKIE_SECURE=true
|
|
COOKIE_SAME_SITE=strict
|
|
COOKIE_DOMAIN=.veza.com
|
|
|
|
# --- CORS ---
|
|
# ⚠️ IMPORTANT: Définir les origines exactes (pas de wildcard)
|
|
# User config: veza.com, veza.talas.fr, veza.fr, veza.talas.com (all on 127.0.0.1)
|
|
# Dev local avec domaines personnalisés (port 5173 pour Vite)
|
|
# SECURITY(REM-018): Default to HTTPS origins for production. Override in deployment.
|
|
CORS_ALLOWED_ORIGINS=https://app.veza.com,https://www.veza.com,https://veza.fr,https://veza.talas.fr
|
|
|
|
# --- REDIS ---
|
|
# Requis pour CSRF tokens, rate limiting, et cache
|
|
REDIS_ADDR=${REDIS_ADDR:-veza.fr:6379}
|
|
REDIS_PASSWORD=${REDIS_PASSWORD}
|
|
REDIS_DB=0
|
|
|
|
# --- RABBITMQ (Optionnel) ---
|
|
# Désactiver si non utilisé en production
|
|
RABBITMQ_ENABLE=${RABBITMQ_ENABLE:-false}
|
|
RABBITMQ_URL=${RABBITMQ_URL}
|
|
|
|
# --- SENTRY (Monitoring) ---
|
|
# Fortement recommandé pour production
|
|
SENTRY_DSN=${SENTRY_DSN}
|
|
SENTRY_ENVIRONMENT=production
|
|
SENTRY_SAMPLE_RATE_ERRORS=1.0
|
|
SENTRY_SAMPLE_RATE_TRANSACTIONS=0.1
|
|
|
|
# --- RATE LIMITING ---
|
|
# Activer en production pour protection DoS
|
|
RATE_LIMIT_ENABLED=true
|
|
RATE_LIMIT_REQUESTS_PER_SECOND=100
|
|
|
|
# --- UPLOADS ---
|
|
# Chemin absolu pour stockage persistant
|
|
UPLOAD_DIR=${UPLOAD_DIR:-/var/lib/veza/uploads}
|
|
ENABLE_CLAMAV=${ENABLE_CLAMAV:-true}
|
|
CLAMAV_REQUIRED=${CLAMAV_REQUIRED:-true}
|
|
|
|
# --- SERVICES EXTERNES ---
|
|
# URLs des autres services du stack
|
|
STREAM_SERVER_URL=${STREAM_SERVER_URL:-http://veza.fr:8082}
|
|
CHAT_SERVER_URL=${CHAT_SERVER_URL:-http://veza.fr:8081}
|
|
|
|
# --- EMAIL (Optionnel) ---
|
|
# Requis si email verification / password reset activés
|
|
SMTP_HOST=${SMTP_HOST}
|
|
SMTP_PORT=${SMTP_PORT:-587}
|
|
SMTP_USERNAME=${SMTP_USERNAME}
|
|
SMTP_PASSWORD=${SMTP_PASSWORD}
|
|
SMTP_FROM=${SMTP_FROM:-noreply@veza.com}
|
|
|
|
# =============================================================================
|
|
# VARIABLES OBLIGATOIRES vs OPTIONNELLES
|
|
# =============================================================================
|
|
#
|
|
# OBLIGATOIRES (l'app ne démarre pas sans):
|
|
# - DATABASE_URL
|
|
# - JWT_SECRET
|
|
# - REDIS_ADDR (si CSRF/rate limiting activés)
|
|
#
|
|
# FORTEMENT RECOMMANDÉES:
|
|
# - SENTRY_DSN (monitoring erreurs)
|
|
# - CORS_ALLOWED_ORIGINS (sinon mode strict = reject all)
|
|
#
|
|
# OPTIONNELLES:
|
|
# - RABBITMQ_* (si événements asynchrones non utilisés)
|
|
# - SMTP_* (si pas d'emails)
|
|
# - CLAMAV_* (si pas de scan antivirus uploads)
|
|
#
|
|
# =============================================================================
|