Disable `show_password_hint` by default

A setting that provides unauthenticated access to potentially sensitive data shouldn't be enabled by default.
author: Jeremy Lin <[email protected]> 2021-07-10 01:20:37 -0700
committer: Jeremy Lin <[email protected]> 2021-07-10 01:20:37 -0700
commit: 8ee5d51bd47279d5b23c409744fab6614af0e918 (patch)
tree: 0a9fa71b5b3240abf15aa44d3022cf2318cb2ddd /.env.template
parent: 3968bc8016611cdf9a84db68990f27624ab17889 (diff)
download: vaultwarden-8ee5d51bd47279d5b23c409744fab6614af0e918.tar.gz
vaultwarden-8ee5d51bd47279d5b23c409744fab6614af0e918.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/.env.template b/.env.template
index 530a6a01..1662080e 100644
--- a/.env.template
+++ b/.env.template
@@ -210,8 +210,10 @@
 ## The change only applies when the password is changed
 # PASSWORD_ITERATIONS=100000
 
-## Whether password hint should be sent into the error response when the client request it
-# SHOW_PASSWORD_HINT=true
+## Controls whether a password hint should be shown directly in the web page if
+## SMTP service is not configured. Not recommended for publicly-accessible instances
+## as this provides unauthenticated access to potentially sensitive data.
+# SHOW_PASSWORD_HINT=false
 
 ## Domain settings
 ## The domain must match the address from where you access the server
author	Jeremy Lin <[email protected]>	2021-07-10 01:20:37 -0700
committer	Jeremy Lin <[email protected]>	2021-07-10 01:20:37 -0700
commit	8ee5d51bd47279d5b23c409744fab6614af0e918 (patch)
tree	0a9fa71b5b3240abf15aa44d3022cf2318cb2ddd /.env.template
parent	3968bc8016611cdf9a84db68990f27624ab17889 (diff)
download	vaultwarden-8ee5d51bd47279d5b23c409744fab6614af0e918.tar.gz vaultwarden-8ee5d51bd47279d5b23c409744fab6614af0e918.zip