security: harden admin password change and production session headers

2026-02-07 21:37:55 +08:00
parent 7997a97a9a
commit 08864e51ba
26 changed files with 159 additions and 59 deletions
--- a/.env.example
+++ b/.env.example
@@ -13,7 +13,8 @@ FLASK_DEBUG=false

 # Session配置
 SESSION_LIFETIME_HOURS=24
-SESSION_COOKIE_SECURE=false  # 使用HTTPS时设为true
+SESSION_COOKIE_SECURE=true  # 生产环境HTTPS必须为true，本地HTTP调试可临时设为false
+HTTPS_ENABLED=true

 # ==================== 数据库配置 ====================
 DB_FILE=data/app_data.db