docs(security): warn that APP_SECRET must never change after setup
APP_SECRET does double duty: it signs JWTs and derives the AES-256-GCM key that encrypts stored AI-provider credentials. Rotating it makes every saved AI API key undecryptable and invalidates existing sessions. Document this footgun where operators set the value (RT-30 from the red-team report). - .env.example: dual-role warning block above APP_SECRET - README.md / README.ru.md: warning callout in the upgrade section Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
claude_code
@@ -12,6 +12,11 @@ PORT=3000
|
||||
# (The /mcp limiter keeps a global per-email key as an IP-independent backstop,
|
||||
# but the per-IP and per-IP+email keys rely on a trustworthy X-Forwarded-For.)
|
||||
|
||||
# APP_SECRET has a DUAL role: it signs JWTs AND derives the AES-256-GCM key that
|
||||
# encrypts stored AI-provider credentials (API keys) at rest. CONSEQUENCE: if you
|
||||
# change APP_SECRET after setup, every stored AI API key becomes undecryptable —
|
||||
# you must re-enter them in AI settings — and all existing sessions/JWTs are
|
||||
# invalidated. Choose it ONCE, keep it stable, and back it up alongside your DB.
|
||||
# minimum of 32 characters. Generate one with: openssl rand -hex 32
|
||||
APP_SECRET=REPLACE_WITH_LONG_SECRET
|
||||
|
||||
|
||||
Reference in New Issue
Block a user