Aktueller Stand

.env.example

@@ -1,15 +1,22 @@
+# --- Runtime ---
+NODE_ENV=development
+AUTO_MIGRATE=false
+
 # --- Ports (host bindings) ---
+BIND_IP=127.0.0.1
 API_PORT=8201
 WEB_PORT=3201
 
 # Public API URL used by the frontend (browser). Set to http(s)://<host>:<api-port>
 VITE_API_URL=http://localhost:8201
+VITE_CLEANUP_ENABLED=false
 
 # Allow Vite dev server to accept requests for these hostnames (comma-separated)
 VITE_ALLOWED_HOSTS=localhost,docker
 
 # If running behind a reverse proxy (e.g. Nginx Proxy Manager), enable this
 TRUST_PROXY=false
+WEB_BASE_URL=https://mailcleaner.srv.medeba-media.de
 
 # --- Database / Queue ---
 DATABASE_URL=postgresql://mailcleaner:mailcleaner@postgres:5432/mailcleaner
@@ -18,6 +25,35 @@ REDIS_URL=redis://redis:6379
 # JWT signing secret for auth
 JWT_SECRET=dev-change-me
 
+# Allowed CORS origins (comma-separated). Required in production.
+CORS_ORIGINS=http://localhost:3201
+
+# Enable Swagger docs (/docs). Keep false in production.
+ENABLE_SWAGGER=false
+
+# Global rate limit
+RATE_LIMIT_MAX=300
+RATE_LIMIT_WINDOW=1 minute
+
+# Auth-specific rate limit
+RATE_LIMIT_AUTH_MAX=10
+RATE_LIMIT_AUTH_WINDOW=1 minute
+
+# Short-lived SSE token TTL (seconds)
+SSE_TOKEN_TTL_SECONDS=300
+
+# OAuth state TTL (seconds)
+OAUTH_STATE_TTL_SECONDS=600
+
+# Disallow custom IMAP/SMTP hosts unless explicitly enabled
+ALLOW_CUSTOM_MAIL_HOSTS=false
+
+# Block private network targets for unsubscribe HTTP
+BLOCK_PRIVATE_NETWORKS=true
+
+# Encryption key for sensitive secrets (set in production)
+ENCRYPTION_KEY=change-me-please
+
 # --- Google OAuth (Gmail) ---
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=