feat: add configurable cookie security and login rate limiting

- Added LOGIN_ATTEMPT_SALT environment variable for secure rate limiting hash generation
- Introduced AUTH_COOKIE_SECURE flag to support CDN SSL termination scenarios
- Updated nginx config to properly set X-Forwarded-Proto for CDN deployments

Author: zerox80

.env.docker.example

@@ -12,9 +12,21 @@ JWT_SECRET=
 ADMIN_USERNAME=admin
 ADMIN_PASSWORD=
 
+# Login Security Configuration
+# Required: high-entropy salt used to hash login attempt identifiers (protects rate limiting)
+# Generate with: openssl rand -base64 48
+LOGIN_ATTEMPT_SALT=
+
+# Cookie Security
+# Set to false if using CDN with SSL termination (BunnyCDN, Cloudflare, etc.)
+# AND your nginx config sets X-Forwarded-Proto to https
+# Default: true (cookies only sent over HTTPS)
+# AUTH_COOKIE_SECURE=false
+
 # Optional: CORS Configuration
 # Comma-separated list of allowed frontend origins
 # Default: http://localhost:8489
+# Production example: https://yourdomain.com
 # FRONTEND_ORIGINS=http://localhost:8489,https://yourdomain.com
 
 # Optional: Rust log level

.env.example

@@ -12,6 +12,12 @@ DATABASE_URL=sqlite:./database.db
 # For testing only: use a strong random string in production!
 JWT_SECRET=your-super-secret-jwt-key-min-32-chars-change-me-in-production
 
+# Cookie Security
+# Set to false if using CDN with SSL termination (BunnyCDN, Cloudflare, etc.)
+# AND your nginx config sets X-Forwarded-Proto to https
+# Default: true (cookies only sent over HTTPS)
+# AUTH_COOKIE_SECURE=true
+
 # Server Configuration
 # Port on which the backend server will run
 PORT=8489

docker-compose.yml

@@ -22,6 +22,8 @@ services:
       - FRONTEND_ORIGINS=${FRONTEND_ORIGINS:-http://localhost:8489}
       - ADMIN_USERNAME=${ADMIN_USERNAME:?ADMIN_USERNAME must be set in environment}
       - ADMIN_PASSWORD=${ADMIN_PASSWORD:?ADMIN_PASSWORD must be set in environment}
+      - LOGIN_ATTEMPT_SALT=${LOGIN_ATTEMPT_SALT:?LOGIN_ATTEMPT_SALT must be set in environment}
+      - AUTH_COOKIE_SECURE=${AUTH_COOKIE_SECURE:-true}
     volumes:
       - backend-data:/data
     networks:

nginx-configs/host-reverse-proxy.conf

@@ -47,7 +47,9 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        # WICHTIG: Bei SSL Termination durch CDN (BunnyCDN, Cloudflare, etc.)
+        # muss dies auf 'https' gesetzt werden, damit Cookies richtig funktionieren
+        proxy_set_header X-Forwarded-Proto https;
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Forwarded-Port $server_port;