fix: stop logging password reset secrets
This commit is contained in:
sirily
@@ -23,6 +23,8 @@ Deploy on one VPS with Docker Compose.
|
||||
- Keep secrets in server-side environment files or a secret manager.
|
||||
- Back up PostgreSQL and object storage separately.
|
||||
- Prefer Telegram long polling to avoid an extra public webhook surface for the bot.
|
||||
- In non-production environments, set `EMAIL_PROVIDER=example` only when you explicitly want the built-in debug transport. It logs redacted email previews and must never emit live password-reset tokens.
|
||||
- Do not rely on implicit email fallbacks. Unsupported providers now fail fast at startup so misconfigured deployments do not silently drop password-reset or billing mail.
|
||||
|
||||
## Upgrade strategy
|
||||
- Build new images.
|
||||
|
||||
Reference in New Issue
Block a user