Fork Security Setup
When you fork 瑞成 PMS, you must rotate all secrets before deploying to production.
Required Rotations
1. AUTH_SECRET
bash
# Generate a new secret
openssl rand -base64 32Set in your deployment platform (Zeabur env vars).
2. Database Password
Change the PostgreSQL password in DATABASE_URL — never use the default dev password in production.
3. Seed Demo Passwords
The seeded demo accounts (R90001 / Admin123! 等) use static, publicly-known passwords for local dev and e2e. Before production, reset or remove them and set real passwords for the actual 瑞成 personnel (badge login R00001 格式).
瑞成 PMS 以工牌編號 + 密碼登入,沒有 OAuth、沒有金流,因此無需輪替 OAuth 或 payment provider 金鑰。
Security Checklist
- [ ]
AUTH_SECRETrotated and set in platform env vars - [ ]
DATABASE_URLuses a production-only DB user with minimal permissions - [ ] 已重設/移除 seed demo 帳號的預設密碼
- [ ]
AUTH_URLis set to your exact production URL (no trailing slash) - [ ] HTTPS enforced (Zeabur handles this automatically)
- [ ] No secrets committed to git (check
.gitignore)
OWASP Top 10 Mitigations
| Risk | Mitigation in 瑞成 PMS |
|---|---|
| Injection | Drizzle ORM with parameterized queries |
| Broken Auth | NextAuth v5, stateless JWT, no custom auth code |
| Sensitive Data | Passwords hashed with bcrypt, tokens in-memory |
| RBAC failures | requireRole() checked server-side in every action |
| Security Misconfiguration | zbpack.json sets security headers at platform level |
| XSS | React escaping + CSP headers |
| CSRF | SameSite cookie + NextAuth CSRF protection |
See docs/guides/en/fork-security-setup.md for the full OWASP guide.