From e9e1e12cbbe6abb447308e67b9df336c4cd57f93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Wed, 13 May 2026 08:25:46 +0200 Subject: [PATCH] Update README with SECRET_KEY_BASE details Added information about SECRET_KEY_BASE requirement and its implications. --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index cece692..43070ba 100644 --- a/README.md +++ b/README.md @@ -32,13 +32,15 @@ sudo chown 1000:1000 -R /var/openproject/assets Next you start up the containers in the background while making sure to pull the latest versions of all used images. ```shell -OPENPROJECT_HTTPS=false docker compose up -d --build --pull always +SECRET_KEY_BASE=OVERWRITE_ME OPENPROJECT_HTTPS=false docker compose up -d --build --pull always ``` - After a while, OpenProject should be up and running on `http://localhost:8080`. The default username and password is login: `admin`, and password: `admin`. The `OPENPROJECT_HTTPS=false` environment variable explicitly disables HTTPS mode for the first startup. Without this, OpenProject assumes it's running behind HTTPS in production by default. We do strongly recommend you use OpenProject behind a TLS terminated proxy for production purposes and remove this flag before actually starting to use it. +You will also need to provide a secure key for the `SECRET_KEY_BASE`, it should be unique and treated like a password. +This value is used to derive keys for the Rails application. Changing this value will invalidate all cookies, including sessions and 2FA remembering tokens. + ### Customization The `docker-compose.yml` file present in the repository can be adjusted to your convenience. But note that with each pull, it will be overwritten.