variables consistency in docs, added .env.example

.env.example

@@ -0,0 +1,73 @@
+# Caddy Proxy Manager Environment Configuration
+# Copy this file to .env and update with your secure values
+# IMPORTANT: chmod 600 .env after creating it
+
+# =============================================================================
+# REQUIRED SECURITY SETTINGS (PRODUCTION)
+# =============================================================================
+
+# Session Secret (REQUIRED)
+# Generate with: openssl rand -base64 32
+# Must be at least 32 characters in production
+SESSION_SECRET=your-secure-session-secret-here-min-32-chars
+
+# Admin Credentials (REQUIRED)
+# USERNAME: Any username (e.g., "admin" is fine)
+# PASSWORD: Must be 12+ characters with:
+#   - Uppercase letters (A-Z)
+#   - Lowercase letters (a-z)
+#   - Numbers (0-9)
+#   - Special characters (!@#$%^&* etc.)
+ADMIN_USERNAME=admin
+ADMIN_PASSWORD=Your-Secure-P@ssw0rd-Here!
+
+# =============================================================================
+# APPLICATION CONFIGURATION
+# =============================================================================
+
+# Public base URL for the application
+BASE_URL=http://localhost:3000
+
+# =============================================================================
+# OPTIONAL: ADVANCED CONFIGURATION
+# =============================================================================
+
+# Database configuration (usually no need to change)
+# DATABASE_URL=file:./data/caddy-proxy-manager.db
+
+# Caddy Admin API endpoint (usually no need to change)
+# CADDY_API_URL=http://caddy:2019
+
+# Certificate storage directory (usually no need to change)
+# CERTS_DIRECTORY=./data/certs
+
+# Login rate limiting (optional, for custom rate limit settings)
+# LOGIN_MAX_ATTEMPTS=5
+# LOGIN_WINDOW_MS=300000
+# LOGIN_BLOCK_MS=900000
+
+# =============================================================================
+# SECURITY NOTES
+# =============================================================================
+#
+# Production Security (Strictly Enforced):
+# - Application will refuse to start without proper credentials
+# - Default values (admin/admin) are automatically rejected
+# - All requirements are validated at startup
+#
+# Quick Setup for Production:
+#   export SESSION_SECRET=$(openssl rand -base64 32)
+#   export ADMIN_USERNAME="admin"
+#   export ADMIN_PASSWORD="YourStr0ng-P@ssw0rd!"
+#
+# Development Mode:
+#   export NODE_ENV=development
+#   # Default credentials (admin/admin) work in development
+#
+# Security Best Practices:
+# 1. Never commit your .env file to version control
+# 2. Generate unique secrets for each deployment
+# 3. Use strong passwords with mixed case, numbers, and special characters
+# 4. Rotate secrets regularly in production
+# 5. Keep file permissions restricted (chmod 600 .env)
+# 6. Never share credentials via insecure channels