Harden security controls from REPORT findings

2026-03-01 13:32:08 -03:00
parent da5cbc2c01
commit bdd97d1c62
20 changed files with 1455 additions and 97 deletions
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -1,15 +1,20 @@
 APP_ENV=development
 DATABASE_URL=postgresql+psycopg://dcm:dcm@db:5432/dcm
-REDIS_URL=redis://redis:6379/0
+REDIS_URL=redis://:replace-with-redis-password@redis:6379/0
+REDIS_SECURITY_MODE=auto
+REDIS_TLS_MODE=auto
+ALLOW_DEVELOPMENT_ANONYMOUS_USER_ACCESS=true
 STORAGE_ROOT=/data/storage
 ADMIN_API_TOKEN=replace-with-random-admin-token
 USER_API_TOKEN=replace-with-random-user-token
+APP_SETTINGS_ENCRYPTION_KEY=replace-with-random-settings-encryption-key
 MAX_UPLOAD_FILES_PER_REQUEST=50
 MAX_UPLOAD_FILE_SIZE_BYTES=26214400
 MAX_UPLOAD_REQUEST_SIZE_BYTES=104857600
 MAX_ZIP_MEMBER_UNCOMPRESSED_BYTES=26214400
 MAX_ZIP_TOTAL_UNCOMPRESSED_BYTES=157286400
 MAX_ZIP_COMPRESSION_RATIO=120
+MAX_ZIP_DESCENDANTS_PER_ROOT=1000
 PROVIDER_BASE_URL_ALLOWLIST=["api.openai.com"]
 PROVIDER_BASE_URL_ALLOW_HTTP=false
 PROVIDER_BASE_URL_ALLOW_PRIVATE_NETWORK=false
@@ -23,6 +28,6 @@ DEFAULT_ROUTING_MODEL=gpt-4.1-mini
 TYPESENSE_PROTOCOL=http
 TYPESENSE_HOST=typesense
 TYPESENSE_PORT=8108
-TYPESENSE_API_KEY=dcm-typesense-key
+TYPESENSE_API_KEY=replace-with-random-typesense-api-key
 TYPESENSE_COLLECTION_NAME=documents
 PUBLIC_BASE_URL=http://localhost:8000