@@ -44,15 +44,6 @@ JWT_ALGORITHM=HS256
4444BASIC_AUTH_USER = admin
4545BASIC_AUTH_PASSWORD = changeme
4646AUTH_REQUIRED = true
47-
48- # Secret used to sign JWTs (use long random value in prod)
49- # PRODUCTION: Use a strong, random secret (minimum 32 characters)
50- JWT_SECRET_KEY = my-test-key
51-
52- # Algorithm used to sign JWTs (e.g., HS256)
53- JWT_ALGORITHM = HS256
54-
55- # Expiry time for generated JWT tokens (in minutes; e.g. 7 days)
5647TOKEN_EXPIRY = 10080
5748REQUIRE_TOKEN_EXPIRATION = false
5849
@@ -61,16 +52,7 @@ MCP_CLIENT_AUTH_ENABLED=true
6152TRUST_PROXY_AUTH = false
6253PROXY_USER_HEADER = X-Authenticated-User
6354
64- # Used to derive an AES encryption key for secure auth storage
65- # Must be a non-empty string (e.g. passphrase or random secret)
66- AUTH_ENCRYPTION_SECRET = my-test-salt
67-
68- # ####################################
69- # Admin UI and API Toggles
70- # ####################################
71-
72- # Enable the visual Admin UI (true/false)
73- # PRODUCTION: Set to false for security
55+ # UI/Admin Feature Flags
7456MCPGATEWAY_UI_ENABLED = true
7557
7658# Enable the Admin API endpoints (true/false)
@@ -80,11 +62,7 @@ MCPGATEWAY_UI_ENABLED=true
8062MCPGATEWAY_UI_ENABLED = true
8163MCPGATEWAY_ADMIN_API_ENABLED = true
8264MCPGATEWAY_BULK_IMPORT_ENABLED = true
83-
84- # Maximum number of tools allowed per bulk import request
8565MCPGATEWAY_BULK_IMPORT_MAX_TOOLS = 200
86-
87- # Rate limiting for bulk import endpoint (requests per minute)
8866MCPGATEWAY_BULK_IMPORT_RATE_LIMIT = 10
8967
9068# ####################################
@@ -139,53 +117,12 @@ CORS_ENABLED=true
139117
140118# CORS allow credentials (true/false)
141119CORS_ALLOW_CREDENTIALS = true
142-
143- # Environment setting (development/production) - affects security defaults
144- # development: Auto-configures CORS for localhost:3000, localhost:8080, etc.
145- # production: Uses APP_DOMAIN for HTTPS origins, enforces secure cookies
146- ENVIRONMENT = development
147-
148- # Domain configuration for production CORS origins
149- # In production, automatically creates origins: https://APP_DOMAIN, https://app.APP_DOMAIN, https://admin.APP_DOMAIN
150- # For production: set to your actual domain (e.g., mycompany.com)
151- APP_DOMAIN = localhost
152-
153- # Security settings for cookies
154- # production: Automatically enables secure cookies regardless of this setting
155- # development: Set to false for HTTP development, true for HTTPS
156120SECURE_COOKIES = true
157-
158- # Cookie SameSite attribute for CSRF protection
159- # strict: Maximum security, may break some OAuth flows
160- # lax: Good balance of security and compatibility (recommended)
161- # none: Requires Secure=true, allows cross-site usage
162121COOKIE_SAMESITE = lax
163-
164- # ####################################
165- # Security Headers Configuration
166- # ####################################
167-
168- # Enable security headers middleware (true/false)
169- SECURITY_HEADERS_ENABLED = true
170-
171- # X-Frame-Options setting (DENY, SAMEORIGIN, or ALLOW-FROM uri)
172- # DENY: Prevents all iframe embedding (recommended for security)
173- # SAMEORIGIN: Allows embedding from same domain only
174- # To disable: Set to empty string X_FRAME_OPTIONS=""
175122X_FRAME_OPTIONS = DENY
176-
177- # Other security headers (true/false)
178- X_CONTENT_TYPE_OPTIONS_ENABLED = true
179- X_XSS_PROTECTION_ENABLED = true
180- X_DOWNLOAD_OPTIONS_ENABLED = true
181-
182- # HSTS (HTTP Strict Transport Security) settings
183123HSTS_ENABLED = true
184- # HSTS max age in seconds (31536000 = 1 year)
185124HSTS_MAX_AGE = 31536000
186125HSTS_INCLUDE_SUBDOMAINS = true
187-
188- # Remove server identification headers (true/false)
189126REMOVE_SERVER_HEADERS = true
190127
191128# Enable HTTP Basic Auth for docs endpoints (in addition to Bearer token auth)
0 commit comments