webupdatev1

backend/.env.example

@@ -1,19 +1,45 @@
 # Environment Variables for Backend
 # Copy this file to .env and fill in your values
+# SECURITY: Never commit .env to version control
 
 # Server
-PORT=3000
+PORT=5000
 NODE_ENV=development
 
-# Database
-DATABASE_URL="postgresql://user:password@localhost:5432/skyartshop?schema=public"
+# Database Configuration
+DB_HOST=localhost
+DB_PORT=5432
+DB_NAME=skyartshop
+DB_USER=skyartapp
+DB_PASSWORD=CHANGE_THIS_STRONG_PASSWORD
 
-# JWT
-JWT_SECRET=your-super-secret-jwt-key-change-this-in-production
-JWT_EXPIRES_IN=7d
+# Session Security (CRITICAL: Generate strong random secrets)
+# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+SESSION_SECRET=CHANGE_THIS_64_CHARACTER_HEX_STRING
+JWT_SECRET=CHANGE_THIS_64_CHARACTER_HEX_STRING
 
-# CORS
-CORS_ORIGIN=http://localhost:5173
+# CORS Configuration
+CORS_ORIGIN=http://localhost:3000
 
-# Upload
+# File Upload Settings
 MAX_FILE_SIZE=5242880
+ALLOWED_FILE_TYPES=image/jpeg,image/png,image/gif,image/webp
+
+# Rate Limiting
+RATE_LIMIT_WINDOW_MS=900000
+RATE_LIMIT_MAX_REQUESTS=100
+
+# Logging
+LOG_LEVEL=info
+
+# Security Headers
+FORCE_HTTPS=false
+
+# ⚠️ SECURITY CHECKLIST:
+# [ ] Change SESSION_SECRET to 64-character random hex
+# [ ] Change JWT_SECRET to 64-character random hex  
+# [ ] Set strong DB_PASSWORD (12+ chars, mixed case, numbers, symbols)
+# [ ] Update CORS_ORIGIN for production domain
+# [ ] Set NODE_ENV=production in production
+# [ ] Set FORCE_HTTPS=true in production
+# [ ] Review all settings before deploying