From 8ee5d51bd47279d5b23c409744fab6614af0e918 Mon Sep 17 00:00:00 2001
From: Jeremy Lin <jeremy.lin@gmail.com>
Date: Sat, 10 Jul 2021 01:20:37 -0700
Subject: Disable `show_password_hint` by default

A setting that provides unauthenticated access to potentially sensitive data
shouldn't be enabled by default.
---
 .env.template | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to '.env.template')

diff --git a/.env.template b/.env.template
index 530a6a01..1662080e 100644
--- a/.env.template
+++ b/.env.template
@@ -210,8 +210,10 @@
 ## The change only applies when the password is changed
 # PASSWORD_ITERATIONS=100000
 
-## Whether password hint should be sent into the error response when the client request it
-# SHOW_PASSWORD_HINT=true
+## Controls whether a password hint should be shown directly in the web page if
+## SMTP service is not configured. Not recommended for publicly-accessible instances
+## as this provides unauthenticated access to potentially sensitive data.
+# SHOW_PASSWORD_HINT=false
 
 ## Domain settings
 ## The domain must match the address from where you access the server
-- 
cgit v1.2.3