timesheet-prod/.env.example
skysyaz b133de92fa Harden security fixes and repair traffic/route regressions.
Accept legacy route:list --columns, lock timesheet edits, tighten password throttle and session defaults, and fix site traffic date/unique races without Postgres-only SQL.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-07-10 20:52:40 +08:00

111 lines
2.7 KiB
Plaintext

APP_NAME="Quatriz TimeSheet"
APP_ENV=local
APP_KEY=
APP_DEBUG=true
APP_URL=http://localhost:8000
APP_TIMEZONE=Asia/Kuala_Lumpur
APP_LOCALE=en
APP_FALLBACK_LOCALE=en
APP_FAKER_LOCALE=en_US
APP_MAINTENANCE_DRIVER=file
# APP_MAINTENANCE_STORE=database
BCRYPT_ROUNDS=12
LOG_CHANNEL=stack
LOG_LEVEL=debug
# SQLite (dev)
# DB_CONNECTION=sqlite
# PostgreSQL (production)
DB_CONNECTION=pgsql
DB_HOST=127.0.0.1
DB_PORT=5432
DB_DATABASE=timesheet
DB_USERNAME=postgres
DB_PASSWORD=
SESSION_DRIVER=database
SESSION_LIFETIME=120
SESSION_SECURE_COOKIE=
SESSION_ENCRYPT=true
SESSION_HTTP_ONLY=true
SESSION_SAME_SITE=lax
FILESYSTEM_DISK=local
QUEUE_CONNECTION=database
CACHE_STORE=database
# Security hardening (production: set APP_DEBUG=false, SESSION_ENCRYPT=true)
SECURITY_CSP_REPORT_ONLY=true
# Set true after verifying no CSP violations in browser console / reports
SECURITY_CSP_ENFORCE=false
SECURITY_COOP=same-origin
SECURITY_CORP=same-origin
SECURITY_CONTACT=security@skysyaz.my
SECURITY_TXT_EXPIRES=2027-06-30T00:00:00.000Z
HEALTH_CHECK_ALLOWED_IPS=
# MFA: admins must enroll TOTP on first login (production)
# UI: prevent stale modal overlays from blocking profile/logout after saves
UI_CONSISTENT_BUTTONS=true
# Cloudflare WAF (optional — see scripts/apply-cloudflare-waf.sh)
# CF_API_TOKEN=
# CF_ZONE_ID=
MAIL_MAILER=smtp
MAIL_HOST=smtp.resend.com
MAIL_PORT=587
MAIL_USERNAME=resend
MAIL_PASSWORD=
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDRESS=timesheet@skysyaz.my
MAIL_FROM_NAME="${APP_NAME}"
VITE_APP_NAME="${APP_NAME}"
# --- Observability (Flare, activitylog, Better Uptime) ---
# Flare error tracking — set FLARE_REPORT=true in production after adding key
FLARE_KEY=
FLARE_REPORT=false
FLARE_TRACE=true
FLARE_SAMPLER_RATE=0.1
FLARE_TENANT_TAG=quatriz
# Admin audit trail (spatie/laravel-activitylog)
ACTIVITYLOG_ENABLED=true
# Retention period for audit logs. Consider compliance requirements:
# - Financial/payroll data may require 7 years
# - GDPR typically allows 90 days for security logs
# - Review your organization's data retention policy
ACTIVITYLOG_RETENTION_DAYS=90
# Admin dashboard site traffic counter with daily aggregation
SITE_TRAFFIC_ENABLED=true
# Timesheet workflow emails: queue (default) or send during the HTTP request (false)
TIMESHEET_NOTIFICATIONS_QUEUE=true
# Better Uptime / Better Stack heartbeat monitors
BETTER_UPTIME_ENABLED=false
UPTIME_HEARTBEAT_TOKEN=
UPTIME_SCHEDULER_STALE_MINUTES=5
UPTIME_QUEUE_STALE_MINUTES=5
# Watchtower error logging (https://log.skysyaz.my)
WATCHTOWER_URL=https://log.skysyaz.my
WATCHTOWER_TOKEN=
# --- Production checklist ---
# APP_ENV=production
# APP_DEBUG=false
# APP_URL=https://timesheet.quatriz-sd.my
# APP_URL=https://timesheet.skysyaz.my
# SESSION_SECURE_COOKIE=true
# SESSION_ENCRYPT=true
# LOG_LEVEL=error