Deploy to Production
This guide covers the key changes needed when moving from a local setup to production.
Security checklist
1. Change the admin password
The default config uses hunter2. Change it immediately:
admin_email: "your-admin@company.com"
admin_password: "<strong-password>"Or set via environment variables:
DWCTL_ADMIN_EMAIL=your-admin@company.com
DWCTL_ADMIN_PASSWORD=<strong-password>2. Generate a secret key
The secret key signs JWT tokens. Generate a secure one:
openssl rand -base64 32Set it in your environment:
SECRET_KEY=<your-generated-key>3. Configure CORS
Add your production frontend URL to allowed origins:
auth:
security:
cors:
allowed_origins:
- "https://your-app.company.com"4. Use a production database
Point to your production PostgreSQL instance:
DATABASE_URL=postgres://user:password@your-db-host:5432/control_layerInfrastructure
Run behind a reverse proxy
In production, run the Control Layer behind nginx, Caddy, or a cloud load balancer that handles:
- TLS termination
- Rate limiting
- Access logging
The Control Layer binds to 0.0.0.0:3001 by default. Your proxy should forward to this.
Enable secure cookies
For HTTPS deployments, enable secure cookies:
auth:
native:
session:
cookie_secure: true
cookie_same_site: "strict"Disable registration
Unless you want open signups, keep registration disabled:
auth:
native:
allow_registration: falseAdmins create users manually via the UI.
Monitoring
Once deployed:
- Set up health monitoring for your endpoints (see Set Up Health Monitoring)
- Monitor the Control Layer's
/healthendpoint from your infrastructure - Set up log aggregation for request logs
Quick reference
| Setting | Dev default | Production |
|---|---|---|
admin_password | hunter2 | Strong password |
secret_key | None | Random 32+ bytes |
cookie_secure | true | true |
allow_registration | false | false |
cors.allowed_origins | localhost:3001 | Your domain |