NIST CSF 2.0 Assessment Platform

.env.template•7.22 kB

# NIST CSF 2.0 MCP Server Environment Configuration Template # Copy this file to .env and configure with your values # NEVER commit the actual .env file to version control # ============================================ # Authentication Configuration - PROGRESSIVE SECURITY # ============================================ # Choose your authentication mode (disabled -> simple -> oauth) # # STEP 1 - Quick Start (DEFAULT): No Authentication # Perfect for initial testing, development, and getting started # AUTH_MODE=disabled (or leave empty - this is the default) # # STEP 2 - Simple Security: API Key Authentication # Easy upgrade when you need basic security # AUTH_MODE=simple # API_KEY=your-secret-api-key-here # # STEP 3 - Enterprise Security: Full OAuth 2.1 with JWT # Production-grade security with your identity provider # AUTH_MODE=oauth # JWKS_URL=https://your-idp.com/.well-known/jwks.json # MCP_AUDIENCE=mcp-server-prod # TOKEN_ISSUER=https://your-idp.com # Choose your authentication mode AUTH_MODE=disabled # Simple Authentication (API Key mode) # Uncomment and set when AUTH_MODE=simple # API_KEY=generate-a-secure-random-key-here # OAuth 2.1 Authentication (Enterprise mode) # Uncomment and configure when AUTH_MODE=oauth # JWKS_URL=https://your-idp.com/.well-known/jwks.json # MCP_AUDIENCE=mcp-server-prod # TOKEN_ISSUER=https://your-idp.com # JWT_ALGORITHMS=RS256,RS384,RS512 # TOKEN_MAX_AGE=900 # Legacy compatibility (overrides AUTH_MODE if set to false) # ENABLE_AUTH=false # ============================================ # Server Configuration # ============================================ # Server port (default: 8080) SERVER_PORT=8080 # Server host (default: 0.0.0.0) SERVER_HOST=0.0.0.0 # Node environment (production, development, test) NODE_ENV=production # Max request size in bytes (default: 1MB) MAX_REQUEST_SIZE=1048576 # Request timeout in milliseconds (default: 30000) REQUEST_TIMEOUT=30000 # ============================================ # Security Configuration # ============================================ # Enable rate limiting (default: true) ENABLE_RATE_LIMITING=true # Max requests per minute per client (default: 100) MAX_REQUESTS_PER_MINUTE=100 # Enable audit logging (default: true) ENABLE_AUDIT_LOG=true # Log level (debug, info, warn, error, critical) LOG_LEVEL=info # Enable CORS (default: false in production) ENABLE_CORS=false # Allowed CORS origins (comma-separated) CORS_ORIGINS= # Enable request validation (default: true) ENABLE_VALIDATION=true # Enable security headers (default: true) ENABLE_SECURITY_HEADERS=true # ============================================ # Database Configuration # ============================================ # Database file path DATABASE_PATH=./data/nist-csf-2.0.db # Enable database encryption (default: false) ENABLE_DB_ENCRYPTION=false # Database encryption key (required if encryption enabled) DB_ENCRYPTION_KEY= # Max database connections (default: 10) MAX_DB_CONNECTIONS=10 # Database query timeout in milliseconds (default: 5000) DB_QUERY_TIMEOUT=5000 # ============================================ # Tool Permissions (JSON arrays) # ============================================ # List of allowed tools (empty = all allowed) ALLOWED_TOOLS=["create_assessment","update_assessment","get_subcategory","list_subcategories","get_profile_summary","compare_profiles","export_data","generate_report","import_assessment","validate_evidence","get_implementation_template","generate_policy_template","generate_test_scenarios"] # List of blocked tools (takes precedence over allowed) BLOCKED_TOOLS=[] # Tools requiring special permissions PRIVILEGED_TOOLS=["import_assessment","export_data","generate_report"] # ============================================ # Rate Limiting Configuration (per tool) # ============================================ # Format: TOOL_NAME_RATE_LIMIT=requests:window_seconds CREATE_ASSESSMENT_RATE_LIMIT=30:60 UPDATE_ASSESSMENT_RATE_LIMIT=50:60 IMPORT_ASSESSMENT_RATE_LIMIT=10:60 EXPORT_DATA_RATE_LIMIT=20:60 GENERATE_REPORT_RATE_LIMIT=15:60 VALIDATE_EVIDENCE_RATE_LIMIT=20:60 GENERATE_POLICY_RATE_LIMIT=10:60 GENERATE_TEMPLATE_RATE_LIMIT=15:60 GENERATE_TEST_RATE_LIMIT=10:60 # ============================================ # File Upload Configuration # ============================================ # Max file upload size in bytes (default: 10MB) MAX_FILE_SIZE=10485760 # Allowed file extensions for evidence (comma-separated) ALLOWED_FILE_EXTENSIONS=.pdf,.doc,.docx,.txt,.png,.jpg,.jpeg,.csv,.xlsx,.json # Upload directory path UPLOAD_DIR=./data/uploads # ============================================ # Monitoring & Alerting # ============================================ # Enable metrics collection (default: true) ENABLE_METRICS=true # Metrics port (default: 9090) METRICS_PORT=9090 # Alert webhook URL (optional) ALERT_WEBHOOK_URL= # Alert threshold for failed auth attempts (default: 10) FAILED_AUTH_THRESHOLD=10 # Alert threshold for rate limit violations (default: 50) RATE_LIMIT_THRESHOLD=50 # ============================================ # Session Management # ============================================ # Session timeout in seconds (default: 3600 = 1 hour) SESSION_TIMEOUT=3600 # Max concurrent sessions per client (default: 5) MAX_SESSIONS_PER_CLIENT=5 # Session secret (required in production) SESSION_SECRET= # ============================================ # Secrets (NEVER commit actual values) # ============================================ # API keys for external services EXTERNAL_API_KEY= # Database password (if using external database) DATABASE_PASSWORD= # Encryption keys ENCRYPTION_KEY= # HMAC secret for data integrity HMAC_SECRET= # ============================================ # Testing Configuration (Development Only) # ============================================ # Test user passwords (for development testing only) TEST_USER_PASSWORD=SecureTestUser123! TEST_ADMIN_PASSWORD=SecureTestAdmin456! TEST_ATTACKER_PASSWORD=SecureTestAttacker789! # Test JWT secret (for unit tests only) TEST_JWT_SECRET=secure-test-jwt-secret-minimum-32-characters # ============================================ # Feature Flags # ============================================ # Enable experimental features (default: false) ENABLE_EXPERIMENTAL=false # Enable debug mode (default: false, NEVER true in production) DEBUG_MODE=false # Enable API documentation endpoint (default: false in production) ENABLE_API_DOCS=false # ============================================ # Compliance & Regulatory # ============================================ # Compliance mode (HIPAA, PCI-DSS, SOC2, etc.) COMPLIANCE_MODE= # Data retention period in days (default: 90) DATA_RETENTION_DAYS=90 # Enable data anonymization (default: false) ENABLE_ANONYMIZATION=false # Geographic restrictions (comma-separated country codes) ALLOWED_COUNTRIES= # ============================================ # Backup & Recovery # ============================================ # Enable automatic backups (default: true) ENABLE_BACKUPS=true # Backup schedule (cron format) BACKUP_SCHEDULE=0 2 * * * # Backup retention in days (default: 30) BACKUP_RETENTION_DAYS=30 # Backup storage path BACKUP_PATH=./backups

Loading blob content...

Latest Blog Posts

What Is Context Bloat in MCP?
By Om-Shree-0709 on December 16, 2025.
mcp
Context Bloat
MCP Moves to the Linux Foundation: Neutral Stewardship for Agentic Infrastructure
By Om-Shree-0709 on December 15, 2025.
mcp
anthropic
Linux Foundation
Code Execution with MCP: Architecting Agentic Efficiency
By Om-Shree-0709 on December 14, 2025.
mcp
Token bloat

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/rocklambros/nist-csf-2-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

.env.template•7.22 kB