stemedb/docs/demo/vulnbank/config/production.yaml

# VulnBank Production Configuration
# DO NOT USE IN PRODUCTION - Contains security vulnerabilities for testing

server:
  host: 0.0.0.0
  port: 8080

# BLOCK: Hardcoded database credentials in config file
database:
  host: db.vulnbank.internal
  port: 5432
  name: vulnbank_prod
  user: admin
  password: super_secret_prod_password_123!

# BLOCK: Hardcoded database password (flat pattern)
database_password: production_db_password_2024

# BLOCK: Hardcoded API keys in config file
api:
  stripe_secret_key: sk_live_51H7xyz123456789abcdef
  sendgrid_api_key: SG.abcdefghijklmnopqrstuvwxyz123456

# BLOCK: TLS verification disabled (flat pattern for detection)
tls_verify: false
verify_certificates: false

tls:
  min_version: "1.0"  # TLS 1.0 is deprecated per RFC 8996

# BLOCK: CORS allows any origin (flat pattern)
cors_origins: "*"
allowed_origins: "*"

cors:
  allow_credentials: true

# BLOCK: Rate limiting disabled (flat pattern)
rate_limiting: false
rate_limit_enabled: false

# Security settings (all misconfigured)
security:
  # BLOCK: JWT audience validation disabled
  validate_audience: false
  jwt:
    algorithms:
      - HS256
      - none  # BLOCK: Algorithm 'none' allowed

  # Weak session configuration
  session:
    secure: false
    http_only: false
    same_site: none