mirror of
https://github.com/skysyaz/timesheet-staging.git
synced 2026-07-14 08:40:51 +00:00
Accept legacy route:list --columns, lock timesheet edits, tighten password throttle and session defaults, and fix site traffic date/unique races without Postgres-only SQL. Co-authored-by: Cursor <cursoragent@cursor.com>
111 lines
2.7 KiB
Plaintext
111 lines
2.7 KiB
Plaintext
APP_NAME="Quatriz TimeSheet"
|
|
APP_ENV=local
|
|
APP_KEY=
|
|
APP_DEBUG=true
|
|
APP_URL=http://localhost:8000
|
|
APP_TIMEZONE=Asia/Kuala_Lumpur
|
|
|
|
APP_LOCALE=en
|
|
APP_FALLBACK_LOCALE=en
|
|
APP_FAKER_LOCALE=en_US
|
|
|
|
APP_MAINTENANCE_DRIVER=file
|
|
# APP_MAINTENANCE_STORE=database
|
|
|
|
BCRYPT_ROUNDS=12
|
|
|
|
LOG_CHANNEL=stack
|
|
LOG_LEVEL=debug
|
|
|
|
# SQLite (dev)
|
|
# DB_CONNECTION=sqlite
|
|
|
|
# PostgreSQL (production)
|
|
DB_CONNECTION=pgsql
|
|
DB_HOST=127.0.0.1
|
|
DB_PORT=5432
|
|
DB_DATABASE=timesheet
|
|
DB_USERNAME=postgres
|
|
DB_PASSWORD=
|
|
|
|
SESSION_DRIVER=database
|
|
SESSION_LIFETIME=120
|
|
SESSION_SECURE_COOKIE=
|
|
SESSION_ENCRYPT=true
|
|
SESSION_HTTP_ONLY=true
|
|
SESSION_SAME_SITE=lax
|
|
|
|
FILESYSTEM_DISK=local
|
|
QUEUE_CONNECTION=database
|
|
|
|
CACHE_STORE=database
|
|
|
|
# Security hardening (production: set APP_DEBUG=false, SESSION_ENCRYPT=true)
|
|
SECURITY_CSP_REPORT_ONLY=true
|
|
# Set true after verifying no CSP violations in browser console / reports
|
|
SECURITY_CSP_ENFORCE=false
|
|
SECURITY_COOP=same-origin
|
|
SECURITY_CORP=same-origin
|
|
SECURITY_CONTACT=security@skysyaz.my
|
|
SECURITY_TXT_EXPIRES=2027-06-30T00:00:00.000Z
|
|
HEALTH_CHECK_ALLOWED_IPS=
|
|
|
|
# MFA: admins must enroll TOTP on first login (production)
|
|
# UI: prevent stale modal overlays from blocking profile/logout after saves
|
|
UI_CONSISTENT_BUTTONS=true
|
|
|
|
# Cloudflare WAF (optional — see scripts/apply-cloudflare-waf.sh)
|
|
# CF_API_TOKEN=
|
|
# CF_ZONE_ID=
|
|
MAIL_MAILER=smtp
|
|
MAIL_HOST=smtp.resend.com
|
|
MAIL_PORT=587
|
|
MAIL_USERNAME=resend
|
|
MAIL_PASSWORD=
|
|
MAIL_ENCRYPTION=tls
|
|
MAIL_FROM_ADDRESS=timesheet@skysyaz.my
|
|
MAIL_FROM_NAME="${APP_NAME}"
|
|
|
|
VITE_APP_NAME="${APP_NAME}"
|
|
|
|
# --- Observability (Flare, activitylog, Better Uptime) ---
|
|
# Flare error tracking — set FLARE_REPORT=true in production after adding key
|
|
FLARE_KEY=
|
|
FLARE_REPORT=false
|
|
FLARE_TRACE=true
|
|
FLARE_SAMPLER_RATE=0.1
|
|
FLARE_TENANT_TAG=quatriz
|
|
|
|
# Admin audit trail (spatie/laravel-activitylog)
|
|
ACTIVITYLOG_ENABLED=true
|
|
# Retention period for audit logs. Consider compliance requirements:
|
|
# - Financial/payroll data may require 7 years
|
|
# - GDPR typically allows 90 days for security logs
|
|
# - Review your organization's data retention policy
|
|
ACTIVITYLOG_RETENTION_DAYS=90
|
|
|
|
# Admin dashboard site traffic counter with daily aggregation
|
|
SITE_TRAFFIC_ENABLED=true
|
|
|
|
# Timesheet workflow emails: queue (default) or send during the HTTP request (false)
|
|
TIMESHEET_NOTIFICATIONS_QUEUE=true
|
|
|
|
# Better Uptime / Better Stack heartbeat monitors
|
|
BETTER_UPTIME_ENABLED=false
|
|
UPTIME_HEARTBEAT_TOKEN=
|
|
UPTIME_SCHEDULER_STALE_MINUTES=5
|
|
UPTIME_QUEUE_STALE_MINUTES=5
|
|
|
|
# Watchtower error logging (https://log.skysyaz.my)
|
|
WATCHTOWER_URL=https://log.skysyaz.my
|
|
WATCHTOWER_TOKEN=
|
|
|
|
# --- Production checklist ---
|
|
# APP_ENV=production
|
|
# APP_DEBUG=false
|
|
# APP_URL=https://timesheet.quatriz-sd.my
|
|
# APP_URL=https://timesheet.skysyaz.my
|
|
# SESSION_SECURE_COOKIE=true
|
|
# SESSION_ENCRYPT=true
|
|
# LOG_LEVEL=error
|