upDocs

BitsHost · BitsHost · commit 23a8f7f41374 · 2026-01-01T00:32:24.000+02:00
diff --git a/README.md b/README.md
@@ -47,12 +47,14 @@ OpenAPI (Swagger) docs, and zero code generation.
 
 **🛡️ [SECURE YOUR DASHBOARD NOW →](docs/DASHBOARD_SECURITY.md)** - Complete protection guide
 
-**Quick Fix (5 minutes):** Add IP whitelist to `.htaccess`:
+**Quick Fix (5 minutes):** Add IP whitelist to `.htaccess` (Apache 2.4+):
 ```apache
 <Files "dashboard.html">
-    Order Deny,Allow
-    Deny from all
-    Allow from YOUR.IP.ADDRESS  # Replace with your IP
+  # Allow only localhost by default
+  Require ip 127.0.0.1 ::1
+
+  # To allow your public IP, add an extra line like:
+  # Require ip YOUR.PUBLIC.IP.ADDRESS
 </Files>
 ```
 
@@ -186,6 +188,19 @@ return [
 ];
 ```
 
+### Environment variables (.env)
+
+For easier secret management and 12-factor style deployments, the project also supports a root-level `.env` file.
+
+- Copy `.env.example` to `.env` and adjust values for your environment.
+- The following keys override values from `config/db.php` and `config/api.php` when defined:
+  - `DB_HOST`, `DB_NAME`, `DB_USER`, `DB_PASS`, `DB_CHARSET`
+  - `API_AUTH_METHOD`
+  - `API_KEYS` (comma-separated list)
+  - `BASIC_ADMIN_PASSWORD`, `BASIC_USER_PASSWORD`
+  - `JWT_SECRET`, `JWT_EXPIRATION`, `JWT_ISSUER`, `JWT_AUDIENCE`
+- The public entrypoint loads `.env` before configs, and `.htaccess` protects `.env` from direct web access.
+
 ---
 
 ## 🔒 Security Setup (Production)
diff --git a/SECURITY.md b/SECURITY.md
@@ -184,8 +184,10 @@ With `debug = false`:
 Before deploying to production, verify:
 
 - [ ] Dashboard and health endpoint are protected (IP whitelist or Basic Auth)
+- [ ] Sensitive folders (`config`, `src`, `storage`, `logs`, `vendor`, `private-vault`, `sql`, `tests`) are not web-accessible (web root points to `public/` **or** per-folder `.htaccess` uses `Require all denied`)
 - [ ] Authentication is enabled (`authentication.enabled = true`)
 - [ ] Strong API keys generated (not defaults or examples)
+- [ ] Secrets (DB credentials, JWT secret, API keys, Basic passwords) are not committed in Git and are configured via environment variables / `.env` or secure config files
 - [ ] Rate limiting is enabled
 - [ ] Request logging is enabled
 - [ ] Debug mode is disabled (`debug = false`)
diff --git a/docs/CONFIG_FLOW.md b/docs/CONFIG_FLOW.md
@@ -84,6 +84,8 @@ return [
 ];
 ```
 
+> 💡 **Environment overrides:** For deployments that use environment variables or a `.env` file, some sensitive values from `config/api.php` can be overridden at runtime (for example: `API_AUTH_METHOD`, `API_KEYS`, `BASIC_ADMIN_PASSWORD`, `BASIC_USER_PASSWORD`, `JWT_SECRET`, `JWT_EXPIRATION`, `JWT_ISSUER`, `JWT_AUDIENCE`). This keeps the configuration flow the same while allowing secrets to live outside of versioned PHP config files.
+
 ### Step 2: Router Loads Config via Config Class
 
 **File:** `src/Router.php`
