security improvements

2026-01-07 16:20:49 +00:00
parent 9af8d471a6
commit 24ab4593f3
7 changed files with 295 additions and 32 deletions
--- a/.env.example
+++ b/.env.example
@@ -0,0 +1,45 @@
+# SchoolCompare Environment Configuration
+# Copy this file to .env and update the values
+
+# =============================================================================
+# DATABASE
+# =============================================================================
+# PostgreSQL connection string
+DATABASE_URL=postgresql://schoolcompare:CHANGE_THIS_PASSWORD@localhost:5432/schoolcompare
+
+# =============================================================================
+# SERVER
+# =============================================================================
+# Set to False in production
+DEBUG=False
+
+# Server host and port
+HOST=0.0.0.0
+PORT=80
+
+# =============================================================================
+# CORS
+# =============================================================================
+# Comma-separated list of allowed origins
+# In production, only include your actual domain
+ALLOWED_ORIGINS=["https://schoolcompare.co.uk"]
+
+# =============================================================================
+# SECURITY
+# =============================================================================
+# Admin API key for protected endpoints (e.g., /api/admin/reload)
+# Generate a secure random key: python -c "import secrets; print(secrets.token_urlsafe(32))"
+ADMIN_API_KEY=CHANGE_THIS_TO_A_SECURE_RANDOM_KEY
+
+# Rate limiting (requests per minute per IP)
+RATE_LIMIT_PER_MINUTE=60
+RATE_LIMIT_BURST=10
+
+# Maximum request body size in bytes (default 1MB)
+MAX_REQUEST_SIZE=1048576
+
+# =============================================================================
+# API
+# =============================================================================
+DEFAULT_PAGE_SIZE=50
+MAX_PAGE_SIZE=100