txeo/cv-site
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
64cb99086077400cc47f0ae13f83ffc34c8fff30
cv-site/.env.example
T
juanatsap f91a24ea9b feat: Add plain text CV endpoint and contact form with security 
Plain text endpoint:
- Add /text route for plain text CV (for curl/AI crawlers)
- Use k3a/html2text library for HTML-to-text conversion
- Add Plain Text button to hamburger menu with UI translations

Contact form feature:
- Add ContactHandler with proper email service integration
- Add CSRF protection middleware
- Add rate limiting (5 submissions/hour per IP)
- Add honeypot and timing-based bot protection
- Add input validation with detailed error messages
- Add security logging middleware
- Add browser-only middleware for API protection

Code quality:
- Fix all golangci-lint errcheck warnings for w.Write calls
- Remove duplicate getClientIP functions
- Wire up ContactHandler in routes.Setup
2025-11-30 13:47:49 +00:00

76 lines
2.4 KiB
Bash
Raw Blame History

# Environment Configuration Example
# Copy this file to .env and customize as needed
# Server Configuration
PORT=1999
HOST=localhost
GO_ENV=development
# Template Configuration
TEMPLATE_DIR=templates
PARTIALS_DIR=templates/partials
TEMPLATE_HOT_RELOAD=true
# Data Configuration
DATA_DIR=data
# Server Timeouts (seconds)
READ_TIMEOUT=15
WRITE_TIMEOUT=15
# Security Configuration
# Allowed origins for API access (comma-separated domains)
# Prevents external sites from accessing your API/PDF endpoint
#
# DEFAULT: If empty, defaults to juan.andres.morenorub.io (the CV site domain)
# Plus localhost and 127.0.0.1 are always allowed in development
#
# For custom domains in production: ALLOWED_ORIGINS=yourdomain.com,www.yourdomain.com
# Multiple domains: ALLOWED_ORIGINS=domain1.com,domain2.com,www.domain1.com
ALLOWED_ORIGINS=
# Rate Limiter Configuration
# CRITICAL: Prevents IP spoofing attacks that bypass rate limiting
#
# BEHIND_PROXY: Set to true ONLY if behind a trusted reverse proxy (nginx, caddy, cloudflare)
# - Development (default): false - Uses RemoteAddr only, immune to header spoofing
# - Production behind proxy: true - Trusts X-Forwarded-For from proxy
#
# TRUSTED_PROXY_IP: Optional - IP address of your reverse proxy
# - If set, only X-Forwarded-For headers from this IP are trusted
# - Example: 127.0.0.1 (for local nginx), 10.0.0.1 (for load balancer)
# - Leave empty to trust X-Forwarded-For from any source (less secure)
#
# Security Impact:
# - BEHIND_PROXY=false (dev): Ignores all X-Forwarded-For headers, uses actual connection IP
# - BEHIND_PROXY=true (prod): Trusts proxy, extracts client IP from X-Forwarded-For
# - Logs all suspicious spoofing attempts for security monitoring
#
BEHIND_PROXY=false
TRUSTED_PROXY_IP=
# Email Configuration (Contact Form)
# For Gmail:
# 1. Enable 2FA in your Google account
# 2. Go to https://myaccount.google.com/apppasswords
# 3. Generate an App Password
# 4. Use that password here (not your regular Gmail password)
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=your-email@gmail.com
SMTP_PASSWORD=your-app-password-here
SMTP_FROM_EMAIL=your-email@gmail.com
CONTACT_EMAIL=txeo.msx@gmail.com
# Production Settings
# Uncomment for production:
# GO_ENV=production
# TEMPLATE_HOT_RELOAD=false
# READ_TIMEOUT=30
# WRITE_TIMEOUT=30
# ALLOWED_ORIGINS=yourdomain.com,www.yourdomain.com
#
# Production behind reverse proxy:
# BEHIND_PROXY=true
# TRUSTED_PROXY_IP=127.0.0.1
Reference in New Issue View Git Blame Copy Permalink