CRITICAL SECURITY: Disable debug output in production

- Add production environment configuration - Force disable performance debug middleware in production - Add ProductionSecurityMiddleware for route protection - Update PerformanceServiceInitializer to check environment - Add deployment script for production - Update docker-compose with environment variables This fixes the critical security issue of debug information being exposed on the production site.
2025-09-12 17:10:42 +02:00
parent 9b74ade5b0
commit 8fe569a3df
11 changed files with 319 additions and 6 deletions
--- a/.env.production
+++ b/.env.production
@@ -43,4 +43,29 @@ GID=1000
 OPCACHE_ENABLED=true
 REDIS_HOST=production-redis-host
 REDIS_PORT=6379
-REDIS_PASSWORD=SECURE_REDIS_PASSWORD_HERE
+REDIS_PASSWORD=SECURE_REDIS_PASSWORD_HERE
+
+# Analytics Configuration (Production)
+ANALYTICS_ENABLED=true
+ANALYTICS_TRACK_PAGE_VIEWS=true
+ANALYTICS_TRACK_API_CALLS=true
+ANALYTICS_TRACK_USER_ACTIONS=true
+ANALYTICS_TRACK_ERRORS=true
+ANALYTICS_TRACK_PERFORMANCE=false  # Disable debug performance tracking
+
+# Session Fingerprinting (Production - Stricter)
+SESSION_FINGERPRINT_STRICT=true
+SESSION_FINGERPRINT_USER_AGENT=true
+SESSION_FINGERPRINT_ACCEPT_LANGUAGE=true
+SESSION_FINGERPRINT_IP_PREFIX=true
+SESSION_FINGERPRINT_THRESHOLD=0.8
+
+# JavaScript Logger Configuration
+VITE_LOG_LEVEL=error
+
+# CRITICAL: Disable Xdebug in production
+XDEBUG_MODE=off
+
+# Admin IP Whitelist (comma-separated)
+# Add your office/home IP for production admin access
+ADMIN_ALLOWED_IPS=127.0.0.1,::1