BillTracker/.env.example

# ── Bill Tracker — Environment Variables ──────────────────────────────────────
# Copy this file to .env and fill in your values before deploying.
# Docker Compose reads .env automatically.
# For direct Node.js: NODE_ENV=production node server.js (or use PM2).

# ── Server ─────────────────────────────────────────────────────────────────────
PORT=3000
NODE_ENV=production

# ── CSRF Cookie httpOnly Setting ──────────────────────────────────────────────
# CSRF cookie httpOnly setting (default: true)
# Set CSRF_HTTP_ONLY=false to allow JavaScript access for SPA CSRF patterns
# CSRF_HTTP_ONLY: "true" (secure, default - cookie not readable by JS)
# CSRF_HTTP_ONLY: "false" (SPA mode - allows JavaScript to read cookie)
#
# ── CSRF Cookie sameSite Setting ──────────────────────────────────────────────
# CSRF cookie sameSite setting (default: strict)
# Options: 'lax', 'strict', 'none'
# CSRF_SAME_SITE: "strict" (most secure - default)
# CSRF_SAME_SITE: "lax" (for SPA cross-site scenarios)
#
# ── CSRF Cookie secure Setting ───────────────────────────────────────────────
# CSRF cookie secure flag (default: true - HTTPS only)
# Set CSRF_SECURE=false for HTTP development (NOT recommended for production)
# CSRF_SECURE: "true" (HTTPS only - default)
# CSRF_SECURE: "false" (HTTP allowed - development only)
#
# ── CSRF Cookie Name ─────────────────────────────────────────────────────────
# CSRF cookie name (default: bt_csrf_token)
# Use CSRF_COOKIE_NAME to customize for multi-app deployments
# CSRF_COOKIE_NAME: "bt_csrf_token" (default)

# ── Data paths (used by both Docker and direct deployments) ───────────────────
# Docker: these are set in the Dockerfile; override here only if needed.
# Direct: set these to absolute paths on the server.
#
# DB_PATH=/opt/bill-tracker/data/db/bills.db
# BACKUP_PATH=/opt/bill-tracker/data/backups

# ── First-run admin account ────────────────────────────────────────────────────
# Set BOTH on first start to create the admin account automatically.
# Remove or comment out after the server has started once — they are not
# needed again. Open the web UI afterward to create your first user account.
#
# INIT_ADMIN_USER=admin
# INIT_ADMIN_PASS=changeme123
initial commit 2026-05-03 19:51:57 -05:00			`# ── Bill Tracker — Environment Variables ──────────────────────────────────────`
			`# Copy this file to .env and fill in your values before deploying.`
			`# Docker Compose reads .env automatically.`
			`# For direct Node.js: NODE_ENV=production node server.js (or use PM2).`

			`# ── Server ─────────────────────────────────────────────────────────────────────`
			`PORT=3000`
			`NODE_ENV=production`

push 2026-05-09 13:03:36 -05:00			`# ── CSRF Cookie httpOnly Setting ──────────────────────────────────────────────`
			`# CSRF cookie httpOnly setting (default: true)`
			`# Set CSRF_HTTP_ONLY=false to allow JavaScript access for SPA CSRF patterns`
			`# CSRF_HTTP_ONLY: "true" (secure, default - cookie not readable by JS)`
			`# CSRF_HTTP_ONLY: "false" (SPA mode - allows JavaScript to read cookie)`
			`#`
			`# ── CSRF Cookie sameSite Setting ──────────────────────────────────────────────`
			`# CSRF cookie sameSite setting (default: strict)`
			`# Options: 'lax', 'strict', 'none'`
			`# CSRF_SAME_SITE: "strict" (most secure - default)`
			`# CSRF_SAME_SITE: "lax" (for SPA cross-site scenarios)`
			`#`
			`# ── CSRF Cookie secure Setting ───────────────────────────────────────────────`
			`# CSRF cookie secure flag (default: true - HTTPS only)`
			`# Set CSRF_SECURE=false for HTTP development (NOT recommended for production)`
			`# CSRF_SECURE: "true" (HTTPS only - default)`
			`# CSRF_SECURE: "false" (HTTP allowed - development only)`
			`#`
			`# ── CSRF Cookie Name ─────────────────────────────────────────────────────────`
			`# CSRF cookie name (default: bt_csrf_token)`
			`# Use CSRF_COOKIE_NAME to customize for multi-app deployments`
			`# CSRF_COOKIE_NAME: "bt_csrf_token" (default)`

initial commit 2026-05-03 19:51:57 -05:00			`# ── Data paths (used by both Docker and direct deployments) ───────────────────`
			`# Docker: these are set in the Dockerfile; override here only if needed.`
			`# Direct: set these to absolute paths on the server.`
			`#`
			`# DB_PATH=/opt/bill-tracker/data/db/bills.db`
			`# BACKUP_PATH=/opt/bill-tracker/data/backups`

			`# ── First-run admin account ────────────────────────────────────────────────────`
			`# Set BOTH on first start to create the admin account automatically.`
			`# Remove or comment out after the server has started once — they are not`
			`# needed again. Open the web UI afterward to create your first user account.`
			`#`
			`# INIT_ADMIN_USER=admin`
			`# INIT_ADMIN_PASS=changeme123`