Production Mode
The MODE environment variable controls security-related behavior in InstaCRUD. This guide explains the differences between modes and what to configure before going live.
Configuration
Set the mode in your .env file:
# === Mode ===
MODE="test" # prod | test
Differences Between Modes
| Feature | MODE="test" | MODE="prod" |
|---|---|---|
| Rate Limiting | Disabled | Enabled |
| HSTS Header | Not sent | Enabled (max-age=31536000) |
Rate Limiting
In production mode, authentication endpoints are rate-limited to prevent brute force attacks:
- Sign in / Sign up: 5 requests per minute per IP
- AI endpoints: 20 requests per minute per user
Rate limiting is disabled in test mode to allow automated tests to run without restrictions.
HSTS Header
In production mode, the Strict-Transport-Security header is sent with all responses:
Strict-Transport-Security: max-age=31536000; includeSubDomains
This instructs browsers to only connect via HTTPS for one year.
Enabling Production Mode
Before switching to MODE="prod", ensure the following prerequisites are met:
1. HTTPS Configuration
The HSTS header tells browsers to only connect via HTTPS. If HTTPS is not properly configured, users will be unable to access your site.
Setting MODE="prod" without HTTPS enabled will cause connection failures. The HSTS header instructs browsers to refuse non-HTTPS connections for one year.
2. Valid SSL Certificate
Use a valid certificate from a trusted Certificate Authority:
- Let's Encrypt (free, automated)
- Commercial CA certificates
- Cloud provider managed certificates (AWS ACM, GCP managed SSL)
Self-signed certificates will cause browser warnings and should not be used in production.
3. Reverse Proxy Configuration
If using nginx, Caddy, or similar reverse proxy, ensure:
- SSL termination is configured correctly
- Headers are forwarded properly (
X-Forwarded-For,X-Forwarded-Proto) - The
ProxyHeadersMiddlewarein InstaCRUD will read these headers
Production Checklist
Before going live, verify the following:
Security Configuration
-
MODE="prod"is set in.env - HTTPS is configured and working
- SSL certificate is valid and not self-signed
-
SECRET_KEYis set to a strong, unique value (not the default)
Access Control
-
CORS_ALLOW_ORIGINSis restricted to your domains (not*) - Database credentials are secure (not default
test:test)
Bot Protection
- Cloudflare Turnstile is configured (
TURNSTILE_SITE_KEYandTURNSTILE_SECRET_KEY)
OAuth (if using social login)
-
GOOGLE_CLIENT_IDandGOOGLE_CLIENT_SECRETare configured -
MS_CLIENT_IDandMS_CLIENT_SECRETare configured - OAuth redirect URIs match your production domain
Email (if using email features)
-
EMAIL_ENABLED=true -
EMAIL_DRIVER=brevo(notfile) -
BREVO_API_KEYis configured -
EMAIL_FROM_ADDRESSuses your verified domain
Verifying Production Mode
After enabling production mode, verify:
-
HTTPS works: Navigate to
https://yourdomain.comand confirm no certificate errors -
HSTS header present: Check response headers in browser DevTools:
Strict-Transport-Security: max-age=31536000; includeSubDomains -
Rate limiting active: Attempt multiple rapid sign-in requests and confirm you receive a 429 (Too Many Requests) response after 5 attempts
Troubleshooting
Users cannot access the site after enabling prod mode
Cause: HSTS was enabled without proper HTTPS configuration.
Solution:
- Configure HTTPS properly
- Users may need to clear their browser's HSTS cache or wait for the cached entry to expire
- In Chrome, visit
chrome://net-internals/#hstsand delete the domain entry
Rate limiting blocks legitimate users
Cause: Multiple users behind the same IP (corporate NAT, VPN).
Solution: Consider implementing user-based rate limiting for authenticated endpoints, which is already configured in InstaCRUD for AI endpoints.
Summary
Production mode enables:
- Rate limiting on authentication endpoints
- HSTS header for HTTPS enforcement
Always ensure HTTPS is properly configured before enabling production mode to avoid locking users out of your application.