Add hashing and other security features #12
82
.env
82
.env
@ -17,3 +17,85 @@
|
|||||||
# REQUIRED if the application is inside the container
|
# REQUIRED if the application is inside the container
|
||||||
# If you want to change this value, you need to change the values in Settings.json and move the file itself to the desired location.
|
# If you want to change this value, you need to change the values in Settings.json and move the file itself to the desired location.
|
||||||
PATH_TO_SAVE=
|
PATH_TO_SAVE=
|
||||||
|
|
||||||
|
# Security
|
||||||
|
|
||||||
|
# JWT signature token
|
||||||
|
# string (UTF8)
|
||||||
|
# This token will be used to create and verify the signature of JWT tokens.
|
||||||
|
# The token must be equal to 64 characters
|
||||||
|
SECURITY_SIGNING_TOKEN=
|
||||||
|
|
||||||
|
# Token for JWT encryption
|
||||||
|
# string (UTF8)
|
||||||
|
# This token will be used to encrypt and decrypt JWT tokens.
|
||||||
|
# The token must be equal to 32 characters
|
||||||
|
SECURITY_ENCRYPTION_TOKEN=
|
||||||
|
|
||||||
|
# Time in minutes, which indicates after which time the Refresh Token will become invalid
|
||||||
|
# integer
|
||||||
|
# The token indicates how long after the user is inactive, he will need to log in again
|
||||||
|
SECURITY_LIFE_TIME_RT=1440
|
||||||
|
|
||||||
|
# The time in a minute, which indicates that this is exactly what it takes to become a non-state
|
||||||
|
# integer
|
||||||
|
# Do not specify a time that is too long or too short. Optimally 5 > x > 60
|
||||||
|
SECURITY_LIFE_TIME_JWT=15
|
||||||
|
|
||||||
|
# Time in minutes, which indicates after which time the token of the first factor will become invalid
|
||||||
|
# integer
|
||||||
|
# Do not specify a short time. The user must be able to log in using the second factor
|
||||||
|
SECURITY_LIFE_TIME_1_FA=15
|
||||||
|
|
||||||
|
# An identifier that points to the server that created the token
|
||||||
|
# string
|
||||||
|
SECURITY_JWT_ISSUER=
|
||||||
|
|
||||||
|
# ID of the audience for which the token is intended
|
||||||
|
# string
|
||||||
|
SECURITY_JWT_AUDIENCE=
|
||||||
|
|
||||||
|
### Hashing
|
||||||
|
|
||||||
|
# In order to set up hashing correctly, you need to start from the security requirements
|
||||||
|
# You can use the settings that were used in https://github.com/P-H-C/phc-winner-argon2
|
||||||
|
# These parameters have a STRONG impact on performance
|
||||||
|
# When testing the system, these values were used:
|
||||||
|
# 10 <= SECURITY_HASH_ITERATION <= 25 iterations
|
||||||
|
# 16384 <= SECURITY_HASH_MEMORY <= 32768 KB
|
||||||
|
# 4 <= SECURITY_HASH_PARALLELISM <= 8 lines
|
||||||
|
# If we take all the large values, it will take a little more than 1 second to get the hash. If this time is critical, reduce the parameters
|
||||||
|
|
||||||
|
# The number of iterations used to hash passwords in the Argon2 algorithm
|
||||||
|
# integer
|
||||||
|
# This parameter determines the number of iterations that the Argon2 algorithm goes through when hashing passwords.
|
||||||
|
# Increasing this value can improve security by increasing the time it takes to calculate the password hash.
|
||||||
|
# The average number of iterations to increase the security level should be set to at least 10.
|
||||||
|
SECURITY_HASH_ITERATION=
|
||||||
|
|
||||||
|
# The amount of memory used to hash passwords in the Argon2 algorithm
|
||||||
|
# integer
|
||||||
|
# 65536
|
||||||
|
# This parameter determines the number of kilobytes of memory that will be used for the password hashing process.
|
||||||
|
# Increasing this value may increase security, but it may also require more system resources.
|
||||||
|
SECURITY_HASH_MEMORY=
|
||||||
|
|
||||||
|
# Parallelism determines how many of the memory fragments divided into strips will be used to generate a hash
|
||||||
|
# integer
|
||||||
|
# This value affects the hash itself, but can be changed to achieve an ideal execution time, taking into account the processor and the number of cores.
|
||||||
|
SECURITY_HASH_PARALLELISM=
|
||||||
|
|
||||||
|
# The size of the output hash generated by the password hashing algorithm
|
||||||
|
# integer
|
||||||
|
SECURITY_HASH_SIZE=32
|
||||||
|
|
||||||
|
# Additional protection for Argon2
|
||||||
|
# string (BASE64)
|
||||||
|
# (optional)
|
||||||
|
# We recommend installing a token so that even if the data is compromised, an attacker cannot brute force a password without a token
|
||||||
|
SECURITY_HASH_TOKEN=
|
||||||
|
|
||||||
|
# The size of the salt used to hash passwords
|
||||||
|
# integer
|
||||||
|
# The salt is a random value added to the password before hashing to prevent the use of rainbow hash tables and other attacks.
|
||||||
|
SECURITY_SALT_SIZE=16
|
Loading…
Reference in New Issue
Block a user