feat: improve security configuration with mandatory secret generation

- Removed insecure default values for JWT_SECRET, admin credentials, and LOGIN_ATTEMPT_SALT to prevent accidental production use
- Enhanced documentation with clearer secret generation commands and security best practices
- Added new configuration options for proxy trust settings and comment author display names

Author: zerox80

.env.docker.example

@@ -5,12 +5,14 @@
 # JWT Configuration
 # CRITICAL: Must be at least 32 characters long!
 # Generate with: openssl rand -base64 48
+# Generate all secrets before starting containers.
+# Example: openssl rand -base64 48 | tr -d '\n'
 JWT_SECRET=
 
 # Admin Credentials
 # IMPORTANT: Password must be at least 12 characters long!
-ADMIN_USERNAME=admin
-ADMIN_PASSWORD=
+# ADMIN_USERNAME=
+# ADMIN_PASSWORD=
 
 # Login Security Configuration
 # Required: high-entropy salt used to hash login attempt identifiers (protects rate limiting)

.env.example

@@ -1,16 +1,15 @@
 # Database Configuration
 # Path to SQLite database file
-# In Docker: sqlite:/data/database.db
-# In Development: sqlite:./database.db
-DATABASE_URL=sqlite:./database.db
+# Strongly recommended: store SQLite files outside the project directory to avoid unintended exposure.
+# Example (Linux/macOS): DATABASE_URL=sqlite:/var/lib/linux-tutorial/database.db
+# Example (Windows):     DATABASE_URL=sqlite:C:/linux-tutorial/data/database.db
+# DATABASE_URL=
 
 # JWT Configuration
 # Secret key for JWT token signing and verification
-# CRITICAL: Must be at least 32 characters long!
-# Generate with: openssl rand -base64 48
-# Example: JWT_SECRET=$(openssl rand -base64 48)
-# For testing only: use a strong random string in production!
-JWT_SECRET=your-super-secret-jwt-key-min-32-chars-change-me-in-production
+# CRITICAL: Must be at least 43 characters of high-entropy data (≈256 bits)
+# Generate with: openssl rand -base64 48 > secret.txt && tr -d '\n' < secret.txt
+# JWT_SECRET=
 
 # Cookie Security
 # Set to false if using CDN with SSL termination (BunnyCDN, Cloudflare, etc.)
@@ -25,14 +24,22 @@ FRONTEND_ORIGINS=http://localhost:5173,http://localhost:3000
 
 # Admin Credentials (used to bootstrap default admin user)
 # IMPORTANT: Password must be at least 12 characters long (NIST recommendation)!
-# Change these values for production use!
-ADMIN_USERNAME=admin
-ADMIN_PASSWORD=change-me-min-12-chars
+# You must supply installation-specific credentials before running the backend.
+# ADMIN_USERNAME=
+# ADMIN_PASSWORD=
 
 # Login Security Configuration
 # Required: high-entropy salt used to hash login attempt identifiers (protects rate limiting)
-#openssl rand -base64 48
-LOGIN_ATTEMPT_SALT=generate-a-random-64-byte-string
+# Generate with: openssl rand -base64 64 | tr -d '\n'
+# LOGIN_ATTEMPT_SALT=
+
+# Proxy / Network Security
+# Set to true only when running behind a trusted reverse proxy that sets X-Forwarded-* headers.
+# TRUST_PROXY_IP_HEADERS=false
+
+# Comment Display Configuration
+# Optional: override the public author name used for admin-generated comments.
+# COMMENT_AUTHOR_DISPLAY_NAME=Administrator
 
 # Logging Configuration
 # Rust log level (trace, debug, info, warn, error)