variables consistency in docs, added .env.example

.env.example

@@ -0,0 +1,73 @@
+# Caddy Proxy Manager Environment Configuration
+# Copy this file to .env and update with your secure values
+# IMPORTANT: chmod 600 .env after creating it
+
+# =============================================================================
+# REQUIRED SECURITY SETTINGS (PRODUCTION)
+# =============================================================================
+
+# Session Secret (REQUIRED)
+# Generate with: openssl rand -base64 32
+# Must be at least 32 characters in production
+SESSION_SECRET=your-secure-session-secret-here-min-32-chars
+
+# Admin Credentials (REQUIRED)
+# USERNAME: Any username (e.g., "admin" is fine)
+# PASSWORD: Must be 12+ characters with:
+#   - Uppercase letters (A-Z)
+#   - Lowercase letters (a-z)
+#   - Numbers (0-9)
+#   - Special characters (!@#$%^&* etc.)
+ADMIN_USERNAME=admin
+ADMIN_PASSWORD=Your-Secure-P@ssw0rd-Here!
+
+# =============================================================================
+# APPLICATION CONFIGURATION
+# =============================================================================
+
+# Public base URL for the application
+BASE_URL=http://localhost:3000
+
+# =============================================================================
+# OPTIONAL: ADVANCED CONFIGURATION
+# =============================================================================
+
+# Database configuration (usually no need to change)
+# DATABASE_URL=file:./data/caddy-proxy-manager.db
+
+# Caddy Admin API endpoint (usually no need to change)
+# CADDY_API_URL=http://caddy:2019
+
+# Certificate storage directory (usually no need to change)
+# CERTS_DIRECTORY=./data/certs
+
+# Login rate limiting (optional, for custom rate limit settings)
+# LOGIN_MAX_ATTEMPTS=5
+# LOGIN_WINDOW_MS=300000
+# LOGIN_BLOCK_MS=900000
+
+# =============================================================================
+# SECURITY NOTES
+# =============================================================================
+#
+# Production Security (Strictly Enforced):
+# - Application will refuse to start without proper credentials
+# - Default values (admin/admin) are automatically rejected
+# - All requirements are validated at startup
+#
+# Quick Setup for Production:
+#   export SESSION_SECRET=$(openssl rand -base64 32)
+#   export ADMIN_USERNAME="admin"
+#   export ADMIN_PASSWORD="YourStr0ng-P@ssw0rd!"
+#
+# Development Mode:
+#   export NODE_ENV=development
+#   # Default credentials (admin/admin) work in development
+#
+# Security Best Practices:
+# 1. Never commit your .env file to version control
+# 2. Generate unique secrets for each deployment
+# 3. Use strong passwords with mixed case, numbers, and special characters
+# 4. Rotate secrets regularly in production
+# 5. Keep file permissions restricted (chmod 600 .env)
+# 6. Never share credentials via insecure channels

.gitignore

@@ -5,6 +5,7 @@ dist
 data
 *.log
 .env*
+!.env.example
 /.idea
 tsconfig.tsbuildinfo
 /caddy-data

README.md

@@ -142,9 +142,12 @@ Visit `http://localhost:3000/login` and sign in with your credentials.
 | `ADMIN_USERNAME` | Admin login username | `admin` | **Yes** |
 | `ADMIN_PASSWORD` | Admin password (see requirements below) | `admin` (dev only) | **Yes** |
 | `BASE_URL` | Public URL of the dashboard | `http://localhost:3000` | No |
-| `CADDY_API_URL` | Caddy Admin API endpoint | `http://caddy:2019` | No |
-| `DATABASE_PATH` | SQLite file path | `/app/data/caddy-proxy-manager.db` | No |
-| `PRIMARY_DOMAIN` | Default domain for Caddy config | `caddyproxymanager.com` | No |
+| `CADDY_API_URL` | Caddy Admin API endpoint | `http://caddy:2019` (prod)<br/>`http://localhost:2019` (dev) | No |
+| `DATABASE_URL` | SQLite database URL | `file:./data/caddy-proxy-manager.db` | No |
+| `CERTS_DIRECTORY` | Certificate storage directory | `./data/certs` | No |
+| `LOGIN_MAX_ATTEMPTS` | Max login attempts before rate limit | `5` | No |
+| `LOGIN_WINDOW_MS` | Rate limit window in milliseconds | `300000` (5 min) | No |
+| `LOGIN_BLOCK_MS` | Rate limit block duration in milliseconds | `900000` (15 min) | No |
 
 **Production Security Requirements (Strictly Enforced):**