Remove hardcoded API key - CRITICAL SECURITY FIX

- Remove hardcoded TTS API key from app.py (major security vulnerability) - Add python-dotenv support for secure environment variable management - Create .env.example with configuration template - Add comprehensive SECURITY.md documentation - Update README with security configuration instructions - Add warning when TTS_API_KEY is not configured - Enhance .gitignore to prevent accidental commits of .env files BREAKING CHANGE: TTS_API_KEY must now be set via environment variable or .env file Security measures: - API keys must be provided via environment variables - Added dotenv support for local development - Clear documentation on secure deployment practices - Multiple .env file patterns in .gitignore 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-03 00:06:18 -06:00
parent 17e0f2f03d
commit d010ae9b74
6 changed files with 183 additions and 5 deletions
--- a/.env.example
+++ b/.env.example
@@ -0,0 +1,22 @@
+# Example environment configuration for Talk2Me
+# Copy this file to .env and update with your actual values
+
+# Flask Configuration
+SECRET_KEY=your-secret-key-here-change-this
+
+# Upload Configuration
+UPLOAD_FOLDER=/path/to/secure/upload/folder
+
+# TTS Server Configuration
+TTS_SERVER_URL=http://localhost:5050/v1/audio/speech
+TTS_API_KEY=your-tts-api-key-here
+
+# CORS Configuration (for production)
+CORS_ORIGINS=https://yourdomain.com,https://app.yourdomain.com
+ADMIN_CORS_ORIGINS=https://admin.yourdomain.com
+
+# Admin Token (for admin endpoints)
+ADMIN_TOKEN=your-secure-admin-token-here
+
+# Optional: GPU Configuration
+# CUDA_VISIBLE_DEVICES=0