fix: harden cloud storage security
This commit is contained in:
237899745
@@ -20,7 +20,15 @@ NODE_ENV=production
|
||||
|
||||
# 强制HTTPS访问(生产环境建议开启)
|
||||
# 设置为 true 时,仅接受 HTTPS 访问
|
||||
ENFORCE_HTTPS=false
|
||||
ENFORCE_HTTPS=true
|
||||
|
||||
# 公开访问地址(生产环境必须配置,用于邮件、分享、直链等外部链接)
|
||||
# 示例: PUBLIC_BASE_URL=https://cs.workyai.cn
|
||||
PUBLIC_BASE_URL=https://your-domain.example
|
||||
|
||||
# Host 白名单(可选;未配置 PUBLIC_BASE_URL 时生产环境必须配置)
|
||||
# 示例: ALLOWED_HOSTS=cs.workyai.cn
|
||||
ALLOWED_HOSTS=your-domain.example
|
||||
|
||||
# 公开访问端口(nginx监听的端口,用于生成分享链接)
|
||||
# 标准端口(80/443)可不配置
|
||||
@@ -33,20 +41,20 @@ PUBLIC_PORT=80
|
||||
# 加密密钥(必须配置!)
|
||||
# 用于加密 OSS Access Key Secret 等敏感数据
|
||||
# 生成方法: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
|
||||
ENCRYPTION_KEY=your-encryption-key-please-change-this
|
||||
ENCRYPTION_KEY=REPLACE_WITH_64_HEX_CHARACTERS_GENERATED_BY_COMMAND
|
||||
|
||||
# JWT密钥(必须修改!)
|
||||
# 生成方法: openssl rand -base64 32
|
||||
# 或使用: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
|
||||
JWT_SECRET=your-secret-key-PLEASE-CHANGE-THIS-IN-PRODUCTION
|
||||
JWT_SECRET=REPLACE_WITH_RANDOM_SECRET_AT_LEAST_32_CHARS
|
||||
|
||||
# Refresh Token 密钥(可选,默认使用 JWT_SECRET 派生)
|
||||
# 建议生产环境设置独立的密钥
|
||||
# REFRESH_SECRET=your-refresh-secret-key
|
||||
# REFRESH_SECRET=REPLACE_WITH_SEPARATE_RANDOM_REFRESH_SECRET
|
||||
|
||||
# 管理员账号配置(首次启动时创建)
|
||||
ADMIN_USERNAME=admin
|
||||
ADMIN_PASSWORD=admin123
|
||||
ADMIN_PASSWORD=REPLACE_WITH_STRONG_ADMIN_PASSWORD
|
||||
|
||||
# ============================================
|
||||
# CORS 跨域配置(重要!)
|
||||
@@ -69,17 +77,17 @@ ADMIN_PASSWORD=admin123
|
||||
# ALLOWED_ORIGINS=https://pan.example.com,https://admin.example.com
|
||||
# ALLOWED_ORIGINS=http://localhost:8080 # 开发环境
|
||||
#
|
||||
ALLOWED_ORIGINS=
|
||||
ALLOWED_ORIGINS=https://your-domain.example
|
||||
|
||||
# Cookie 安全配置
|
||||
# 使用 HTTPS 时必须设置为 true
|
||||
# HTTP 环境设置为 false
|
||||
COOKIE_SECURE=false
|
||||
COOKIE_SECURE=true
|
||||
|
||||
# CSRF 防护配置
|
||||
# 启用 CSRF 保护(建议生产环境开启)
|
||||
# 前端会自动从 Cookie 读取 csrf_token 并在请求头中发送
|
||||
ENABLE_CSRF=false
|
||||
ENABLE_CSRF=true
|
||||
|
||||
# ============================================
|
||||
# 反向代理配置(Nginx/Cloudflare等)
|
||||
@@ -97,7 +105,7 @@ ENABLE_CSRF=false
|
||||
# ⚠️ 重要: 如果使用 Nginx 反向代理并开启 ENFORCE_HTTPS=true
|
||||
# 必须配置 TRUST_PROXY=1,否则后端无法正确识别HTTPS请求
|
||||
#
|
||||
TRUST_PROXY=false
|
||||
TRUST_PROXY=1
|
||||
|
||||
# ============================================
|
||||
# 存储配置
|
||||
@@ -126,15 +134,11 @@ STORAGE_ROOT=./storage
|
||||
# OSS_ENDPOINT= # 自定义 Endpoint(可选)
|
||||
|
||||
# ============================================
|
||||
# Session 配置
|
||||
# 验证码票据配置
|
||||
# ============================================
|
||||
|
||||
# Session 密钥(用于验证码等功能)
|
||||
# 默认使用随机生成的密钥
|
||||
# SESSION_SECRET=your-session-secret
|
||||
|
||||
# Session 过期时间(毫秒),默认 30 分钟
|
||||
# SESSION_MAX_AGE=1800000
|
||||
# 验证码票据签名密钥(可选;默认复用 JWT_SECRET)
|
||||
# CAPTCHA_SECRET=replace-with-random-32-byte-hex
|
||||
|
||||
# ============================================
|
||||
# 开发调试配置
|
||||
|
||||
Reference in New Issue
Block a user